Tuesday, March 19, 2024

Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit

Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.

Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

In order to run the malware on cross-platform, it must be able to run on different architectures without any runtime surprises or misconfiguration

The Mirai botnet was used in some of the largest and most disruptive distributed denial of service (DDoS) attacks. Paras Jha, 21, Josiah White, 20, Dalton Norman, 21, are the Mirai Botnet Creators who pleaded guilty in District Court of Alaska for Computer fraud and abuse act.

Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices.

Miori now spreading via Remote code execution vulnerability in
the PHP framework called ThinkPHP and the exploit for this vulnerability is completely new that affected ThinkPHP versions prior to 5.0.23 and 5.1.31.

Also researcher conforms that the infection rate is keep increasing related to ThinkPHP RCE around smart devices.

Apart from this, several Mirai malware various are being distributed by exploiting the same ThinkPHP RCE vulnerability.

Infection distributed via other connected device by reset the default credentials via telnet also researcher learned that it affected one of the linux machine to perfrom DDOS attack.

Miori & Mirai

Researchers explains that Miori is just a branch of plant and the cyber criminals used Thinkpad RCE to make vulnerable machines.

Later they download the malware variant from the command and control server hxxp://144[.]202[.]49[.]126/php.

RCE downloads and executes Miori malware

After the malware execution process, it will generate a console that starts the Telnet to brute force other IP addresses.

In order to receive the command from C&C server it also listens on port 42352 (TCP/UDP) .

According to Trendmicro, We were able to decrypt Miori malware’s configuration table embedded in its binary and found the following notable strings. We also listed the usernames and passwords used by the malware, some of which are default and easy-to-guess.

Username/PasswordNotable strings
1001chin
adm
admin123
admintelecom
aquario
default
e8ehome
e8telnet
GM8182
gpon
oh
root
support
taZz@23495859
telecomadmin
telnetadmin
tsgoingon
ttnet
vizxv
zte
/bin/busybox kill -9
/bin/busybox MIORI (infection verification)
/bin/busybox ps (kills parameters)
/dev/FTWDT101\ watchdog
/dev/FTWDT101_watchdog
/dev/misc/watchdog
/dev/watchdog
/dev/watchdog0
/etc/default/watchdog
/exe
/maps
/proc/
/proc/net/route
/proc/net/tcp
/sbin/watchdog
/status
account
enable
enter
incorrect
login
lolistresser[.]com (C&C server)
MIORI: applet not found (infection verification)
password
shell
system
TSource Engine Query
username
your device just got infected to a bootnoot

Related Miori credentials and strings

Close look revealed that two URLs used by two other variants of Mirai: IZ1H9 and APEP. and both are using same string deobfuscation technique as Mirai and Miori.

“It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks.”Trend Micro said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

In recent years, personal data security has surged in importance due to digital device...

Discontinued WordPress Plugin Flaw Exposes Websites to Cyber Attacks

A critical vulnerability was discovered in two plugins developed by miniOrange.The affected plugins,...

ShadowSyndicate Hackers Exploiting Aiohttp Vulnerability To Access Sensitive Data

A new Aiohttp vulnerability has been discovered, which the threat actor ShadowSyndicate exploits.Aiohttp...

Hackers Launching AI-Powered Cyber Attacks to Steal Billions

INTERPOL's latest assessment on global financial fraud uncovers the sophisticated evolution of cybercrime, fueled...

Fujitsu Hacked – Attackers Infected The Company Computers with Malware

Fujitsu Limited announced the discovery of malware on several of its operational computers, raising...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles