Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.
Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.
In order to run the malware on cross-platform, it must be able to run on different architectures without any runtime surprises or misconfiguration
The Mirai botnet was used in some of the largest and most disruptive distributed
Miori now spreading via Remote code execution vulnerability in
the PHP framework called ThinkPHP and the exploit for this vulnerability is completely new that affected ThinkPHP versions prior to 5.0.23 and 5.1.31.
Also researcher conforms that the infection rate is keep increasing related to ThinkPHP RCE around smart devices.
Apart from this, several Mirai malware various are being distributed by exploiting the same ThinkPHP RCE vulnerability.
Infection distributed via other connected device by
Miori & Mirai
Researchers
Later they download the malware variant from the command and control
RCE downloads and executes Miori malware
After the malware execution process, it will generate a console that starts the Telnet to brute force other IP addresses.
In order to receive the command from
According to
Username/Password | Notable strings |
1001chin adm admin123 admintelecom aquario default e8ehome e8telnet GM8182 gpon oh root support taZz@23495859 telecomadmin telnetadmin tsgoingon ttnet vizxv zte | /bin/busybox kill -9 /bin/busybox MIORI (infection verification) /bin/busybox ps (kills parameters) /dev/FTWDT101\ watchdog /dev/FTWDT101_watchdog /dev/misc/watchdog /dev/watchdog /dev/watchdog0 /etc/default/watchdog /exe /maps /proc/ /proc/net/route /proc/net/tcp /sbin/watchdog /status account enable enter incorrect login lolistresser[.]com (C&C server) MIORI: applet not found (infection verification) password shell system TSource Engine Query username your device just got infected to a bootnoot |
Related Miori credentials and strings
“It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks.”Trend Micro said.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.