Threat Research

IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs

Fortinet

FortiGuard Labs observed the IZ1H9 Mirai-based campaign expand with 13 exploit payloads targeting numerous router, camera, and device vendors to achieve remote code execution and grow its botnet. The campaign uses shell-script downloaders (e.g., l.sh), XOR-obfuscated configs, and C2 check-ins to deploy Mirai variants and launch DDoS attacks. #IZ1H9 #Mirai

Keypoints

  • IZ1H9 is a Mirai-derived campaign that added 13 exploit payloads in September 2023 to target many IoT and network devices (D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix, TOTOLINK, etc.).
  • Exploit activity peaked on September 6 with IPS trigger counts in the thousands to tens of thousands, indicating rapid infection and botnet growth.
  • Payloads exploit multiple CVEs to achieve command injection or RCE (e.g., CVE-2015-1187, CVE-2019-19356, CVE-2021-36380, CVE-2023-1389, and several TOTOLINK CVEs).
  • Exploits inject a downloader that fetches a shell script (l.sh) from hxxp://194[.]180[.]48[.]100, which deletes logs, downloads architecture-specific bot clients, and modifies iptables to obstruct connections.
  • IZ1H9 samples include XOR-obfuscated configuration and credential blocks (keys 0xBAADF00D and 0x54) revealing additional downloader URLs (hxxp://2[.]56[.]59[.]215/i.sh, hxxp://212[.]192[.]241[.]72/lolol.sh) and preset brute-force credentials.
  • C2 communication: infected devices check in using parameter “l.expl” to 194[.]180[.]48[.]101:5034, receive keep-alives (“x00x00”), and parse structured commands defining DDoS method, target, and packet counts.

MITRE Techniques

  • [T1210] Exploit Public-Facing Application – Used to deliver remote command injection/RCE against multiple vendor CVEs (e.g., D-Link CVE-2015-1187) (‘allow remote attackers to deliver command injection via a crafted request’).
  • [T1105] Ingress Tool Transfer – Downloader behavior: fetches and executes shell script downloaders like ‘l.sh’ from hxxp://194[.]180[.]48[.]100 to retrieve bot clients (‘get a shell script downloader “l.sh” from hxxp://194[.]180[.]48[.]100’).
  • [T1071] Application Layer Protocol – C2 check-in and command exchange occurs over TCP to 194[.]180[.]48[.]101:5034 using parameter ‘l.expl’ and keep-alive ‘x00x00’ (‘victims first send a check-in message with the parameter “l.expl” to the C2 server “194[.]180[.]48[.]101:5034,” and it responds with a keep-alive message “x00x00”’).
  • [T1110] Brute Force – Bot includes a data section with pre-set login credentials used for brute-force attempts (‘includes a data section with pre-set login credentials for brute-force attacks’).
  • [T1027] Obfuscated Files or Information – Configuration and credential strings are XOR-encoded (e.g., XOR keys 0xBAADF00D and 0x54) to hide URLs and credentials (‘The XOR key to decode configuration is 0xBAADF00D’, ‘XOR decoding key is 0x54’).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Shell script alters iptables rules to obstruct network connections and hide activity (‘the shell script downloader obstructs network connections on multiple ports. This is achieved by altering the device’s iptables rules’).
  • [T1498] Network Denial of Service – Compromised devices parse C2 commands and launch various DDoS methods (e.g., TCP SYN floods) specifying target and packet counts (‘TCP SYN Attack’ and packet counts like ‘5000 packets’).

Indicators of Compromise

  • [URL/IP] shell script downloaders & C2 – 194[.]180[.]48[.]100 (l.sh downloader), 194[.]180[.]48[.]101:5034 (C2 check-in)
  • [URL/IP] additional downloader hosts – 2[.]56[.]59[.]215 (i.sh), 212[.]192[.]241[.]72 (lolol.sh)
  • [File name / path] exploited endpoints or payloads – /cgi-bin/login.cgi (payload injection ‘key’ parameter), tracert diagnostic parameter ‘tools_ip_url’ (Netis RCE)
  • [File hashes] malware binaries – c8cf29e5…8f63, 1e15d7cd…4c0d (and 9 more hashes listed in the report)

The IZ1H9 campaign chains public-facing application exploits to achieve remote code execution across many IoT vendors (D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix, TOTOLINK). Exploit payloads inject parameters (for example, Netis WF2419 uses the tracert “tools_ip_url” parameter and D-Link payloads perform command injection) to place a small shell-script downloader on the device.

Once running, the downloader (commonly named l.sh) deletes logs, downloads and executes architecture-specific Mirai/Mirai-variant binaries from hardcoded URLs (e.g., hxxp://194[.]180[.]48[.]100, hxxp://2[.]56[.]59[.]215/i.sh, hxxp://212[.]192[.]241[.]72/lolol.sh), and modifies iptables to obstruct network connections. The malware uses XOR-obfuscated configuration and credentials (keys 0xBAADF00D for config and 0x54 for login data) to conceal additional download URLs and brute-force login lists; these decoded sections reveal preset credentials and more hosts.

Compromised devices perform C2 check-ins using the “l.expl” parameter to 194[.]180[.]48[.]101:5034, receive keep-alives (“x00x00”), and parse structured packets that define DDoS methods (e.g., TCP SYN), target host strings, and packet counts (e.g., “5000” packets). Operators thus scale the botnet for diverse DDoS attacks while also attempting credential-based propagation. Read more: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint