Cybercriminals launching a new variant of Mirai Malware by taking advantage of the recently patched remote code execution vulnerability (CVE-2020-9054) in Zyxel network-attached storage (NAS) devices.
The vulnerability marked as “critical” with 9.8 CVE rate, and the bug lets Mukashi botnet to brute forces the logins using different combinations of default credentials.
Zyxel NAS Devices that running firmware versions up to 5.21 are vulnerable to exploit by this new variant of Mirai Malware.
.png
)
The vulnerability was initially discovered as a Zero-day, and the exploit code was under sale by a group of hackers who have attempted to exploit with Emotet malware.
“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote ‘ to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.”
Researchers uncovered this vulnerability on March 12, 2020, when the attacker attempted to download a shell script to the tmp directory, execute the downloaded script also they tried to remove the evidence from the vulnerable device.
Mukashi is also capable of launching the DDOS attack on the infected machine by receiving the command from the C2 server.
Mukashi Operation
Attackers scanning the TCP port 23 of random hosts in the targeted network using Mukashi bot to brute forces the logins using default credentials and report back to successful login attempt to the C2 Server.
After the successful execution, malware prints the message “Protecting your device from further infections.” to the console, and it binds to the TCP port 23448 to ensure the single instance is running before proceeding the intended operation.
Mukashi uses the default credentials as t0talc0ntr0l4! and taZz@23495859 to brute force the network devices and these credentials decoded before scanning phase.
According to the Palo Alto networks research ” Mirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed in-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass confirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant — Mukashi also possesses the anti-DDoS-defense capabilities. “
Mukashi supports the Following C2 commands.
| PING | scanner | .udpplain | .tcp |
| killallbots | .udp | .udpbypass | .tcpbypass |
| killer | .udprand | .udphex | .http |
Researchers highly recommmaned to download The latest version of the firmware and set the complex password to prevent brute forcing.
Also Read: Most Dangerous IoT Malware Mirai Now Using C&C Server in the Tor Network For Anonymity
IoCs
File (Sha256)
8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)
5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)
8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)
90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)
675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)
46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)
753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)
ce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)
a059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)
 in Zyxel network-attached storage (NAS)){kind=link}