Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit

Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.

Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

In order to run the malware on cross-platform, it must be able to run on different architectures without any runtime surprises or misconfiguration

The Mirai botnet was used in some of the largest and most disruptive distributed denial of service (DDoS) attacks. Paras Jha, 21, Josiah White, 20, Dalton Norman, 21, are the Mirai Botnet Creators who pleaded guilty in District Court of Alaska for Computer fraud and abuse act.

Similarly Miori taking advantage of Internet connected device and compromise it by exploiting various vulnerabilities and also it constantly evolving to target the smart devices.

Miori now spreading via Remote code execution vulnerability in
the PHP framework called ThinkPHP and the exploit for this vulnerability is completely new that affected ThinkPHP versions prior to 5.0.23 and 5.1.31.

Also researcher conforms that the infection rate is keep increasing related to ThinkPHP RCE around smart devices.

Apart from this, several Mirai malware various are being distributed by exploiting the same ThinkPHP RCE vulnerability.

Infection distributed via other connected device by reset the default credentials via telnet also researcher learned that it affected one of the linux machine to perfrom DDOS attack.

Miori & Mirai

Researchers explains that Miori is just a branch of plant and the cyber criminals used Thinkpad RCE to make vulnerable machines.

Later they download the malware variant from the command and control server hxxp://144[.]202[.]49[.]126/php.

RCE downloads and executes Miori malware

After the malware execution process, it will generate a console that starts the Telnet to brute force other IP addresses.

In order to receive the command from C&C server it also listens on port 42352 (TCP/UDP) .

According to Trendmicro, We were able to decrypt Miori malware’s configuration table embedded in its binary and found the following notable strings. We also listed the usernames and passwords used by the malware, some of which are default and easy-to-guess.

Username/Password

Notable strings

1001chin adm admin123 admintelecom aquario default e8ehome e8telnet GM8182 gpon oh root support taZz@23495859 telecomadmin telnetadmin tsgoingon ttnet vizxv zte

/bin/busybox kill -9 /bin/busybox MIORI (infection verification) /bin/busybox ps (kills parameters) /dev/FTWDT101\ watchdog /dev/FTWDT101_watchdog /dev/misc/watchdog /dev/watchdog /dev/watchdog0 /etc/default/watchdog /exe /maps /proc/ /proc/net/route /proc/net/tcp /sbin/watchdog /status account enable enter incorrect login lolistresser[.]com (C&C server) MIORI: applet not found (infection verification) password shell system TSource Engine Query username your device just got infected to a bootnoot

Related Miori credentials and strings

Close look revealed that two URLs used by two other variants of Mirai: IZ1H9 and APEP. and both are using same string deobfuscation technique as Mirai and Miori.

“It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks.”Trend Micro said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.