Monday, July 15, 2024
EHA

New Mirai Malware “Mukashi” Exploit Vulnerable Zyxel Network Storage Devices in Wide

Cybercriminals launching a new variant of Mirai Malware by taking advantage of the recently patched remote code execution vulnerability (CVE-2020-9054) in Zyxel network-attached storage (NAS) devices.

The vulnerability marked as “critical” with 9.8 CVE rate, and the bug lets Mukashi botnet to brute forces the logins using different combinations of default credentials.

Zyxel NAS Devices that running firmware versions up to 5.21 are vulnerable to exploit by this new variant of Mirai Malware.

The vulnerability was initially discovered as a Zero-day, and the exploit code was under sale by a group of hackers who have attempted to exploit with Emotet malware.

“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.”

Researchers uncovered this vulnerability on March 12, 2020, when the attacker attempted to download a shell script to the tmp directory, execute the downloaded script also they tried to remove the evidence from the vulnerable device.

Mukashi is also capable of launching the DDOS attack on the infected machine by receiving the command from the C2 server.

Mukashi Operation

Attackers scanning the TCP port 23 of random hosts in the targeted network using Mukashi bot to brute forces the logins using default credentials and report back to successful login attempt to the C2 Server.

After the successful execution, malware prints the message “Protecting your device from further infections.” to the console, and it binds to the TCP port 23448 to ensure the single instance is running before proceeding the intended operation.

Mukashi uses the default credentials as t0talc0ntr0l4! and taZz@23495859 to brute force the network devices and these credentials decoded before scanning phase.

Brute forcing

According to the Palo Alto networks research ” Mirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed in-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass confirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant — Mukashi also possesses the anti-DDoS-defense capabilities. “

Mukashi supports the Following C2 commands.

PINGscanner.udpplain.tcp
killallbots.udp.udpbypass.tcpbypass
killer.udprand.udphex.http

Researchers highly recommmaned to download The latest version of the firmware and set the complex password to prevent brute forcing.

Also Read: Most Dangerous IoT Malware Mirai Now Using C&C Server in the Tor Network For Anonymity

IoCs

File (Sha256)

8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)
5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)
8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)
90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)
675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)
46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)
753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)
ce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)
a059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles