Friday, February 14, 2025
HomeMalwareNew Mirai Malware "Mukashi" Exploit Vulnerable Zyxel Network Storage Devices in Wide

New Mirai Malware “Mukashi” Exploit Vulnerable Zyxel Network Storage Devices in Wide

Published on

SIEM as a Service

Follow Us on Google News

Cybercriminals launching a new variant of Mirai Malware by taking advantage of the recently patched remote code execution vulnerability (CVE-2020-9054) in Zyxel network-attached storage (NAS) devices.

The vulnerability marked as “critical” with 9.8 CVE rate, and the bug lets Mukashi botnet to brute forces the logins using different combinations of default credentials.

Zyxel NAS Devices that running firmware versions up to 5.21 are vulnerable to exploit by this new variant of Mirai Malware.

The vulnerability was initially discovered as a Zero-day, and the exploit code was under sale by a group of hackers who have attempted to exploit with Emotet malware.

“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.”

Researchers uncovered this vulnerability on March 12, 2020, when the attacker attempted to download a shell script to the tmp directory, execute the downloaded script also they tried to remove the evidence from the vulnerable device.

Mukashi is also capable of launching the DDOS attack on the infected machine by receiving the command from the C2 server.

Mukashi Operation

Attackers scanning the TCP port 23 of random hosts in the targeted network using Mukashi bot to brute forces the logins using default credentials and report back to successful login attempt to the C2 Server.

After the successful execution, malware prints the message “Protecting your device from further infections.” to the console, and it binds to the TCP port 23448 to ensure the single instance is running before proceeding the intended operation.

Mukashi uses the default credentials as t0talc0ntr0l4! and taZz@23495859 to brute force the network devices and these credentials decoded before scanning phase.

Brute forcing

According to the Palo Alto networks research ” Mirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed in-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass confirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant — Mukashi also possesses the anti-DDoS-defense capabilities. “

Mukashi supports the Following C2 commands.

PINGscanner.udpplain.tcp
killallbots.udp.udpbypass.tcpbypass
killer.udprand.udphex.http

Researchers highly recommmaned to download The latest version of the firmware and set the complex password to prevent brute forcing.

Also Read: Most Dangerous IoT Malware Mirai Now Using C&C Server in the Tor Network For Anonymity

IoCs

File (Sha256)

8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)
5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)
8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)
90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)
675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)
46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)
753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)
ce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)
a059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...