Unit 42 research analysts at Palo Alto Networks have identified a new strain of the Mirai botnet which targets 22 security issues in various devices including DVRs, WiFi dongles, Routers, Thermal monitoring systems, solar power systems, and access control systems.
The malware has been discovered in two recent campaigns which started back in March and targets devices from manufacturers such as D-Link, Arris, Tp-Link, Netgear, and MediaTek.
The full Unit 42 report can be read here.
Attack overview
The attack begins with exploiting 22 mentioned vulnerabilities, which paves the way for executing a shell script downloaded from an external resource.
This script downloads the appropriate botnet client that matches the architecture of the compromised device as shown below:
- http://185.225.74[.]251/armv4l
- http://185.225.74[.]251/armv5l
- http://185.225.74[.]251/armv6l
- http://185.225.74[.]251/armv7l
- http://185.225.74[.]251/mips
- http://185.225.74[.]251/mipsel
- http://185.225.74[.]251/sh4
- http://185.225.74[.]251/x86_64
- http://185.225.74[.]251/i686
- http://185.225.74[.]251/i586
- http://185.225.74[.]251/arc
- http://185.225.74[.]251/m68k
- http://185.225.74[.]251/sparc
After the client executes, the shell script downloader deletes the client’s file to hide infection tracks and to reduce the likelihood of detection.
The malware contains a function that ensures only one instance of the malware runs on a device. If a botnet process already exists, the botnet client will terminate the current running process and start a new one.
Unlike earlier variants of Mirai, this one cannot automatically bruteforce SSH, and so manual exploitation of a device is required for the device to be compromised.
What is/was Mirai?
Back in February, I posted a piece all about Mirai; It’s history, its development, and the damage it has caused over the years. Please take a look if you want to know more about Mirai.