Mirai-based DDoS Attackers Aggressively Adopted New Router Exploits

In September 2023, FortiGuard Labs’ vigilant team uncovered a significant development in the IZ1H9 Mirai-based DDoS campaign. 

This campaign, known for its aggressive tactics, had strengthened its arsenal with a formidable array of thirteen exploits, potentially endangering Linux-based systems across various organizations.

The IZ1H9 campaign threatens a wide range of users across any organization that utilizes Linux-based systems. 

Its potential impact is critical, as remote attackers can gain full control of vulnerable systems, effectively turning them into bots under the attacker’s command.

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Free Demo

Exploitation Surge

During the team’s observation, it became evident that the IZ1H9 campaign reached its zenith of exploitation on September 6, 2023. 

Trigger counts surged into the thousands, and even tens of thousands, showcasing the campaign’s alarming ability to infiltrate susceptible devices. 

This rapid propagation was achieved by utilizing freshly released exploit code, covering numerous Common Vulnerabilities and Exposures (CVEs).

Exploit Payloads

The campaign’s array of exploit payloads is diverse, targeting various vulnerabilities. 

Notably, four payloads, CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, zero in on D-Link vulnerabilities, enabling remote attackers to execute commands via crafted requests.

Additionally, CVE-2019-19356 targets Netis WF2419, exploiting a Remote Code Execution (RCE) vulnerability through the tracert diagnostic tool due to insufficient user input sanitization.

Exploits discovered in 2021 also play a pivotal role in this campaign, affecting products such as Sunhillo SureLine, Geutebruck IP cameras, and Yealink Device Management.

Further vulnerabilities in Zyxel devices, TP-Link Archer, Korenix JetWave, and TOTOLINK routers are leveraged to expand the campaign’s reach.

Shell Script Downloader

The injected payload aims to download a shell script named “l.sh” from a specific URL. 

Once executed, this script conceals its actions by deleting logs and subsequently downloading and executing various bot clients tailored for different Linux architectures. 

It concludes by obstructing network connections on multiple ports by modifying the device’s iptables rules.

Malware Analysis – IZ1H9

IZ1H9, classified as a Mirai variant, specializes in infecting Linux-based networked devices, particularly IoT devices. 

It transforms them into remote-controlled bots, ready for large-scale network attacks. The XOR key used for configuration decoding is revealed as 0xBAADF00D.

Victims initiate communication with a C2 server, and upon receiving commands, compromised devices parse the packet to determine the DDoS attack method, target host, and packet count before launching an attack.

This campaign underscores the persistent risk posed by vulnerable IoT devices and Linux servers to remote code execution attacks. 

Despite the availability of patches, the number of exploit triggers remains alarmingly high, exposing systems to potential threats.

The IZ1H9 Campaign’s rapid adaptation to new vulnerabilities is a cause for concern. Once attackers gain control of a vulnerable device, they can integrate it into their botnet, amplifying their capacity for attacks, including DDoS and brute-force attacks.

Organizations are urged to promptly apply patches and change default login credentials for devices to mitigate this threat effectively.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.