Mirai-based DDoS Attackers Aggressively Adopted New Router Exploits

In September 2023, FortiGuard Labs’ vigilant team uncovered a significant development in the IZ1H9 Mirai-based DDoS campaign. 

This campaign, known for its aggressive tactics, had strengthened its arsenal with a formidable array of thirteen exploits, potentially endangering Linux-based systems across various organizations.

The IZ1H9 campaign threatens a wide range of users across any organization that utilizes Linux-based systems. 

Its potential impact is critical, as remote attackers can gain full control of vulnerable systems, effectively turning them into bots under the attacker’s command.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Exploitation Surge

During the team’s observation, it became evident that the IZ1H9 campaign reached its zenith of exploitation on September 6, 2023. 

Trigger counts surged into the thousands, and even tens of thousands, showcasing the campaign’s alarming ability to infiltrate susceptible devices. 

This rapid propagation was achieved by utilizing freshly released exploit code, covering numerous Common Vulnerabilities and Exposures (CVEs).

Exploit Payloads

The campaign’s array of exploit payloads is diverse, targeting various vulnerabilities. 

Notably, four payloads, CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, zero in on D-Link vulnerabilities, enabling remote attackers to execute commands via crafted requests.

Additionally, CVE-2019-19356 targets Netis WF2419, exploiting a Remote Code Execution (RCE) vulnerability through the tracert diagnostic tool due to insufficient user input sanitization.

Exploits discovered in 2021 also play a pivotal role in this campaign, affecting products such as Sunhillo SureLine, Geutebruck IP cameras, and Yealink Device Management.

Further vulnerabilities in Zyxel devices, TP-Link Archer, Korenix JetWave, and TOTOLINK routers are leveraged to expand the campaign’s reach.

Shell Script Downloader

The injected payload aims to download a shell script named “l.sh” from a specific URL. 

Once executed, this script conceals its actions by deleting logs and subsequently downloading and executing various bot clients tailored for different Linux architectures. 

It concludes by obstructing network connections on multiple ports by modifying the device’s iptables rules.

Malware Analysis – IZ1H9

IZ1H9, classified as a Mirai variant, specializes in infecting Linux-based networked devices, particularly IoT devices. 

It transforms them into remote-controlled bots, ready for large-scale network attacks. The XOR key used for configuration decoding is revealed as 0xBAADF00D.

Victims initiate communication with a C2 server, and upon receiving commands, compromised devices parse the packet to determine the DDoS attack method, target host, and packet count before launching an attack.

C2 communication

This campaign underscores the persistent risk posed by vulnerable IoT devices and Linux servers to remote code execution attacks. 

Despite the availability of patches, the number of exploit triggers remains alarmingly high, exposing systems to potential threats.

The IZ1H9 Campaign’s rapid adaptation to new vulnerabilities is a cause for concern. Once attackers gain control of a vulnerable device, they can integrate it into their botnet, amplifying their capacity for attacks, including DDoS and brute-force attacks.

DDoS attacking methods

Organizations are urged to promptly apply patches and change default login credentials for devices to mitigate this threat effectively.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Sujatha

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago