By: Augusto Remillano II and Jakub Urbanec
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.
This attack comes just a few weeks after we last reported on Mirai activity, when it had targeted various routers. Several exploits used in the previous attack have also been used by this variant.
Our initial findings on the new variant came from one of our honeypots dedicated to looking for attacks related to the internet of things (IoT). It showed that this malware used different means of spreading, and also revealed its use of three XOR keys to encrypt data. Decrypting the malware’s strings using XOR revealed one of the first relevant indicators of the malware’s being a Mirai variant. The decrypted string can be seen in Figure 1.
Figure 1. Decrypted string showing Mirai connection
We also found the different URLs used by this variant. The first URL on the list below worked as the command-and-control (C&C) link, while the rest served as download and dropper links. In the download and dropper links, of note is the use of hopTo, a free dynamic DNS (Domain Name Server) provider.
Looking into the new variant’s code revealed more details about how it spreads, specifically the 13 different exploits it uses. The first three exploits, shown in Figure 2, are the scanners for specific vulnerabilities found in the web development format ThinkPHP and certain Huawei and Linksys routers. The scanners for the remaining 10 vulnerabilities used in this attack, shown in Figure 3, can be found inside exploit_worker().
We found that aside from spreading through these vulnerabilities, this Mirai variant also has brute-force capabilities using several common credentials listed in the Indicators of Compromise (IoCs) section below.
As previously mentioned, this variant is the first Mirai variant to have used all 13 exploits in a single campaign. These exploits take advantage of flaws found in routers, surveillance products, and other devices. However, this is not the first time we’re seeing the 13 used by cybercriminals. All 13 exploits are listed in Table 1 along with other attacks these exploits have been used in.
Exploit | Vulnerability and affected devices | Relevant attacks | |
1 | Vacron NVR CVE | A remote code execution (RCE) vulnerability for Vacron network video recorder (NVR) devices | Omni |
2 | CVE-2018-10561, CVE-2018-10562 | Authentication bypass and command injection vulnerabilities, respectively, for the Dasan gigabit passive optical network (GPON) routers | Omni Mirai-like scanning |
3 | CVE-2015-2051 | Home Network Administration Protocol (HNAP) SOAPAction-header command execution vulnerability that works on certain D-Link devices | Omni Hakai |
4 | CCTV-DVR RCE | RCE vulnerabilities for multiple CCTV-DVR vendors | Omni Yowai |
5 | CVE-2014-8361 | Universal Plug and Play (UPnP) Simple Object Access Protocol (SOAP) command execution vulnerability affecting different devices using Realtek software development kit (SDK) with the miniigd daemon | Omni |
6 | UPnP SOAP TelnetD command execution | UPnP SOAP command execution exploiting vulnerabilities in D-Link devices | Omni |
7 | Eir WAN side remote command injection | Wide area network (WAN) side remote command injection for Eir D1000 wireless routers | Omni |
8 | Netgear Setup.cgi RCE | RCE targeting Netgear DGN1000 devices | Omni |
9 | CVE-2016-6277 | Vulnerability that can allow the execution of remote arbitrary commands in Netgear R7000 and R6400 devices | Omni VPNFilter infection |
10 | MVPower DVR shell command execution | Unauthenticated RCE vulnerability in MVPower digital video recorders (DVRs) | Omni |
11 | CVE-2017-17215 | Arbitrary command execution vulnerability in Huawei HG532 routers | Omni Satori Miori |
12 | Linksys RCE | RCE vulnerability in Linksys E-series routers | TheMoon |
13 | ThinkPHP 5.0.23/5.1.31 RCE | RCE for open-source web development framework ThinkPHP 5.0.23/5.1.31 | Hakai Yowai |
Table 1. List of used exploits and other relevant attacks
Of these exploits, 11 had already been used together in 2018 by the Mirai variant Omni, according to a report by Unit 42. The only two exploits that were not part of that previous Mirai campaign but were used by this new variant were the Linksys and ThinkPHP RCEs. These two exploits, however, were used in a more recent attack, which also included four others on the list: the CVE-2018-10561, CVE-2014-8361, UPnP SOAP TelnetD command execution, and CVE-2017-17215 exploits.
We also reported on the use of the CVE-2015-2051 and CCTV-DVR RCE exploits by the Gafgyt variant Hakai and the Mirai variant Yowai, respectively, and detailed how both malware variants also used the ThinkPHP RCE exploit.
The attacker behind this new variant could have simply copied the code from other attacks, and with it the exploits these previous cases had used. Also, the choice of exploits used by the attacker could’ve been based on the knowledge that many of the affected devices are widely used, and that many users have yet to implement the released patches for the exploited vulnerabilities.
We can only speculate about the motivation behind a campaign.
However, users can already take preventive measures against the spread and success of Mirai variants. These steps include implementing the right patches and updates that will defend against the exploits used by such malware. Users should also take special care in choosing which products to connect to their networks, and consider manufacturers’ security stances and consistency in releasing updates.
Trend Micro Smart Home Network provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more.
Trend Micro Smart Home Network protects customers from the aforementioned exploits through these rules:
Trend Micro
Trend Micro
Related SHA-256 hash detected as Backdoor.Linux.MIRAI.VWIPT:
Related malicious URLs:
URL | Description |
hxxp://32[.]235[.]102[.]123:1337 | C&C |
hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.arm7 | Download link and droppers |
hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.mips | |
hxxp://ililililililililil[.]hopto[.]org/love.sh |
Used credentials:
The post New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices appeared first on .
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was… Read More
For nearly a dozen years, residents of South Carolina have been kept in the dark… Read More
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings… Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach… Read More
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead.… Read More
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead… Read More