Friday, November 8, 2024
HomeBotnetNow Mirai Malware Attack as Miori delivered via Delivered via Remote Code...

Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit

Published on

Malware protection

Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.

Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

In order to run the malware on cross-platform, it must be able to run on different architectures without any runtime surprises or misconfiguration

- Advertisement - SIEM as a Service

The Mirai botnet was used in some of the largest and most disruptive distributed denial of service (DDoS) attacks. Paras Jha, 21, Josiah White, 20, Dalton Norman, 21, are the Mirai Botnet Creators who pleaded guilty in District Court of Alaska for Computer fraud and abuse act.

Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices.

Miori now spreading via Remote code execution vulnerability in
the PHP framework called ThinkPHP and the exploit for this vulnerability is completely new that affected ThinkPHP versions prior to 5.0.23 and 5.1.31.

Also researcher conforms that the infection rate is keep increasing related to ThinkPHP RCE around smart devices.

Apart from this, several Mirai malware various are being distributed by exploiting the same ThinkPHP RCE vulnerability.

Infection distributed via other connected device by reset the default credentials via telnet also researcher learned that it affected one of the linux machine to perfrom DDOS attack.

Miori & Mirai

Researchers explains that Miori is just a branch of plant and the cyber criminals used Thinkpad RCE to make vulnerable machines.

Later they download the malware variant from the command and control server hxxp://144[.]202[.]49[.]126/php.

RCE downloads and executes Miori malware

After the malware execution process, it will generate a console that starts the Telnet to brute force other IP addresses.

In order to receive the command from C&C server it also listens on port 42352 (TCP/UDP) .

According to Trendmicro, We were able to decrypt Miori malware’s configuration table embedded in its binary and found the following notable strings. We also listed the usernames and passwords used by the malware, some of which are default and easy-to-guess.

Username/PasswordNotable strings
1001chin
adm
admin123
admintelecom
aquario
default
e8ehome
e8telnet
GM8182
gpon
oh
root
support
taZz@23495859
telecomadmin
telnetadmin
tsgoingon
ttnet
vizxv
zte
/bin/busybox kill -9
/bin/busybox MIORI (infection verification)
/bin/busybox ps (kills parameters)
/dev/FTWDT101\ watchdog
/dev/FTWDT101_watchdog
/dev/misc/watchdog
/dev/watchdog
/dev/watchdog0
/etc/default/watchdog
/exe
/maps
/proc/
/proc/net/route
/proc/net/tcp
/sbin/watchdog
/status
account
enable
enter
incorrect
login
lolistresser[.]com (C&C server)
MIORI: applet not found (infection verification)
password
shell
system
TSource Engine Query
username
your device just got infected to a bootnoot

Related Miori credentials and strings

Close look revealed that two URLs used by two other variants of Mirai: IZ1H9 and APEP. and both are using same string deobfuscation technique as Mirai and Miori.

“It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks.”Trend Micro said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...