Saturday, October 5, 2024
HomeCyber Security NewsNew Variant of Mirai Malware Using 13 Different Exploits to Hack...

New Variant of Mirai Malware Using 13 Different Exploits to Hack Routers Including D-Link, Linksys, GPON, Netgear, Huawei

Published on

Researchers discovered a new wave of Mirai Variant that used 13 different exploits to attack various router models and other network devices.

These exploits are associated with this new Mirai variant capable of launching backdoor and distributed denial-of-service (DDoS) attacks.

Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.

- Advertisement - EHA

Mirai targets several different routers including D-Link, Linksys, GPON, Netgear, Huawei and other network devices such as ThinkPHP, multiple CCTV-DVR vendors, UPnP, MVPower digital video recorders, and Vacron network video recorder.

This is the first time to have used all 13 exploits together in a single campaign including some of the exploits that used in the previous attack.

Initially, the new variant of Mirai found in the honeypot system that deployed by Trend Micro and it looking for the IoT devices to exploit several vulnerabilities that include remote code execution (RCE), authentication bypass and command injection.

According to Trend Micro ” It showed that this malware used different means of spreading, and also revealed its use of three XOR keys to encrypt data. Decrypting the malware’s strings using XOR revealed one of the first relevant indicators of the malware’s being a Mirai variant.”

Mirai variant Exploits

Researchers found different URL’s that is associated with Mirai variant including the command-and-control (C&C) link and download and dropper links.

New Mirai variant code reveals more information about infection process, especially, first 3 exploits scanning the specific vulnerabilities in ThinkPHP, certain Huawei, Linksys routers and also a scanner for other 10 vulnerabilities used in this attack.

It also performs a Brute force attack using capabilities using several common credentials.

Mirai Variant associated exploits taking advantage of the different vulnerabilities that found in the routers, surveillance products, and other devices

ExploitVulnerability and affected devicesRelevant attacks
1Vacron NVR CVEA remote code execution (RCE) vulnerability for Vacron network video recorder (NVR) devicesOmni
2CVE-2018-10561, CVE-2018-10562Authentication bypass and command injection vulnerabilities, respectively, for the Dasan gigabit passive optical network (GPON) routersOmni
Mirai-like scanning
3CVE-2015-2051Home Network Administration Protocol (HNAP) SOAPAction-header command execution vulnerability that works on certain D-Link devicesOmni
Hakai
4CCTV-DVR RCERCE vulnerabilities for multiple CCTV-DVR vendorsOmni
Yowai
5CVE-2014-8361Universal Plug and Play (UPnP) Simple Object Access Protocol (SOAP) command execution vulnerability affecting different devices using Realtek software development kit (SDK) with the miniigd daemonOmni
6UPnP SOAP TelnetD command executionUPnP SOAP command execution exploiting vulnerabilities in D-Link devicesOmni
7Eir WAN side remote command injectionWide area network (WAN) side remote command injection for Eir D1000 wireless routersOmni
8Netgear Setup.cgi RCERCE targeting Netgear DGN1000 devicesOmni
9CVE-2016-6277Vulnerability that can allow the execution of remote arbitrary commands in Netgear R7000 and R6400 devicesOmni
VPNFilter infection
10MVPower DVR shell command executionUnauthenticated RCE vulnerability in MVPower digital video recorders (DVRs)Omni
11CVE-2017-17215Arbitrary command execution vulnerability in Huawei HG532 routersOmni
Satori
Miori
12Linksys RCERCE vulnerability in Linksys E-series routersTheMoon
13ThinkPHP 5.0.23/5.1.31 RCERCE for open-source web development framework ThinkPHP 5.0.23/5.1.31Hakai
Yowai

Among all 13 vulnerabilities, 11 had been already used in the previous Mirai variant campaign in 2018 and other 2 exploits are completely new that can be used against Linksys and ThinkPHP RCEs.

The attacker behind this new variant could have simply copied the code from other attacks, and with it the exploits these previous cases had used.

Users are recommended to change the default credentials in the router to prevent the credential based attacks.

Indicators of Compromise (IoCs)

Related SHA-256 hash detected as Backdoor.Linux.MIRAI.VWIPT:

c15382bc81e1bff4cf03d769275b7c4d2d586a21e81ad4138464d808e3bb464c 

Related malicious URLs:

C&C : hxxp://32[.]235[.]102[.]123:1337

Download Link and Droppers

hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.arm7
hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.mips
hxxp://ililililililililil[.]hopto[.]org/love.sh

Used credentials:

12345
666666
888888
20080826
/ADMIN/
1q2w3e4r5
3ep5w2u
admintelecom
anko
cisco
default
e8ehome
e8telnet
guest
hi3518
hi3518
hunt5759
IPCam@sw
ipcam_rt5350
juantech
juantech
jvbzd
jvbzd
klv123
klv1234
klv1234
password
qwerty
QwestM0dem
service
service
smcadmin
supervisor
support
svgodie
system
telecomadmin
ubnt
xc3511
xmhdipc
xmhdpic
zsun1188
Zte521

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...