Categories: Malware

New Mirai Malware “Mukashi” Exploit Vulnerable Zyxel Network Storage Devices in Wide

Cybercriminals launching a new variant of Mirai Malware by taking advantage of the recently patched remote code execution vulnerability (CVE-2020-9054) in Zyxel network-attached storage (NAS) devices.

The vulnerability marked as “critical” with 9.8 CVE rate, and the bug lets Mukashi botnet to brute forces the logins using different combinations of default credentials.

Zyxel NAS Devices that running firmware versions up to 5.21 are vulnerable to exploit by this new variant of Mirai Malware.

The vulnerability was initially discovered as a Zero-day, and the exploit code was under sale by a group of hackers who have attempted to exploit with Emotet malware.

“The executable weblogin.cgi doesn’t properly sanitize the username parameter during authentication. The attacker can use a single quote to close the string and a semicolon ; to concat arbitrary commands to achieve command injection. Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.”

Researchers uncovered this vulnerability on March 12, 2020, when the attacker attempted to download a shell script to the tmp directory, execute the downloaded script also they tried to remove the evidence from the vulnerable device.

Mukashi is also capable of launching the DDOS attack on the infected machine by receiving the command from the C2 server.

Mukashi Operation

Attackers scanning the TCP port 23 of random hosts in the targeted network using Mukashi bot to brute forces the logins using default credentials and report back to successful login attempt to the C2 Server.

After the successful execution, malware prints the message “Protecting your device from further infections.” to the console, and it binds to the TCP port 23448 to ensure the single instance is running before proceeding the intended operation.

Mukashi uses the default credentials as t0talc0ntr0l4! and taZz@23495859 to brute force the network devices and these credentials decoded before scanning phase.

Brute forcing

According to the Palo Alto networks research ” Mirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed in-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass confirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant — Mukashi also possesses the anti-DDoS-defense capabilities. “

Mukashi supports the Following C2 commands.

PINGscanner.udpplain.tcp
killallbots.udp.udpbypass.tcpbypass
killer.udprand.udphex.http

Researchers highly recommmaned to download The latest version of the firmware and set the complex password to prevent brute forcing.

Also Read: Most Dangerous IoT Malware Mirai Now Using C&C Server in the Tor Network For Anonymity

IoCs

File (Sha256)

8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)
5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)
8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)
90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)
675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)
46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)
753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)
ce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)
a059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at a…

7 hours ago

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to deploy…

7 hours ago

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid ongoing…

7 hours ago

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology platform…

8 hours ago

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines credential…

8 hours ago

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape where…

8 hours ago