Saturday, December 9, 2023

Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit

Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.

Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

In order to run the malware on cross-platform, it must be able to run on different architectures without any runtime surprises or misconfiguration

The Mirai botnet was used in some of the largest and most disruptive distributed denial of service (DDoS) attacks. Paras Jha, 21, Josiah White, 20, Dalton Norman, 21, are the Mirai Botnet Creators who pleaded guilty in District Court of Alaska for Computer fraud and abuse act.

Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices.

Miori now spreading via Remote code execution vulnerability in
the PHP framework called ThinkPHP and the exploit for this vulnerability is completely new that affected ThinkPHP versions prior to 5.0.23 and 5.1.31.

Also researcher conforms that the infection rate is keep increasing related to ThinkPHP RCE around smart devices.

Apart from this, several Mirai malware various are being distributed by exploiting the same ThinkPHP RCE vulnerability.

Infection distributed via other connected device by reset the default credentials via telnet also researcher learned that it affected one of the linux machine to perfrom DDOS attack.

Miori & Mirai

Researchers explains that Miori is just a branch of plant and the cyber criminals used Thinkpad RCE to make vulnerable machines.

Later they download the malware variant from the command and control server hxxp://144[.]202[.]49[.]126/php.

RCE downloads and executes Miori malware

After the malware execution process, it will generate a console that starts the Telnet to brute force other IP addresses.

In order to receive the command from C&C server it also listens on port 42352 (TCP/UDP) .

According to Trendmicro, We were able to decrypt Miori malware’s configuration table embedded in its binary and found the following notable strings. We also listed the usernames and passwords used by the malware, some of which are default and easy-to-guess.

Username/PasswordNotable strings
/bin/busybox kill -9
/bin/busybox MIORI (infection verification)
/bin/busybox ps (kills parameters)
/dev/FTWDT101\ watchdog
lolistresser[.]com (C&C server)
MIORI: applet not found (infection verification)
TSource Engine Query
your device just got infected to a bootnoot

Related Miori credentials and strings

Close look revealed that two URLs used by two other variants of Mirai: IZ1H9 and APEP. and both are using same string deobfuscation technique as Mirai and Miori.

“It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks.”Trend Micro said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles