Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit

Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.

Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

In order to run the malware on cross-platform, it must be able to run on different architectures without any runtime surprises or misconfiguration

The Mirai botnet was used in some of the largest and most disruptive distributed denial of service (DDoS) attacks. Paras Jha, 21, Josiah White, 20, Dalton Norman, 21, are the Mirai Botnet Creators who pleaded guilty in District Court of Alaska for Computer fraud and abuse act.

Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices.

Miori now spreading via Remote code execution vulnerability in
the PHP framework called ThinkPHP and the exploit for this vulnerability is completely new that affected ThinkPHP versions prior to 5.0.23 and 5.1.31.

Also researcher conforms that the infection rate is keep increasing related to ThinkPHP RCE around smart devices.

Apart from this, several Mirai malware various are being distributed by exploiting the same ThinkPHP RCE vulnerability.

Infection distributed via other connected device by reset the default credentials via telnet also researcher learned that it affected one of the linux machine to perfrom DDOS attack.

Miori & Mirai

Researchers explains that Miori is just a branch of plant and the cyber criminals used Thinkpad RCE to make vulnerable machines.

Later they download the malware variant from the command and control server hxxp://144[.]202[.]49[.]126/php.

RCE downloads and executes Miori malware

After the malware execution process, it will generate a console that starts the Telnet to brute force other IP addresses.

In order to receive the command from C&C server it also listens on port 42352 (TCP/UDP) .

According to Trendmicro, We were able to decrypt Miori malware’s configuration table embedded in its binary and found the following notable strings. We also listed the usernames and passwords used by the malware, some of which are default and easy-to-guess.

Username/PasswordNotable strings
1001chin
adm
admin123
admintelecom
aquario
default
e8ehome
e8telnet
GM8182
gpon
oh
root
support
taZz@23495859
telecomadmin
telnetadmin
tsgoingon
ttnet
vizxv
zte
/bin/busybox kill -9
/bin/busybox MIORI (infection verification)
/bin/busybox ps (kills parameters)
/dev/FTWDT101\ watchdog
/dev/FTWDT101_watchdog
/dev/misc/watchdog
/dev/watchdog
/dev/watchdog0
/etc/default/watchdog
/exe
/maps
/proc/
/proc/net/route
/proc/net/tcp
/sbin/watchdog
/status
account
enable
enter
incorrect
login
lolistresser[.]com (C&C server)
MIORI: applet not found (infection verification)
password
shell
system
TSource Engine Query
username
your device just got infected to a bootnoot

Related Miori credentials and strings

Close look revealed that two URLs used by two other variants of Mirai: IZ1H9 and APEP. and both are using same string deobfuscation technique as Mirai and Miori.

“It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks.”Trend Micro said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

3 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

3 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

6 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

9 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

10 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

11 hours ago