Zero Day Initiative flagged Mirai expanding its toolkit by incorporating CVE-2023-1389 to target TP-Link Archer AX21 routers, with evidence of active exploitation starting in April after TP-Link’s patch. The malware downloads and executes architecture-specific payloads from its C2 using an unauthenticated command-injection flow and XOR-obfuscated strings to evade detection. #CVE-2023-1389 #Mirai #TP-Link #ArcherAX21 #ZDI #Pwn2Own #TeamViettel #QriousSecurity
Keypoints
- ZDI threat-hunting observed Mirai adding CVE-2023-1389 to its arsenal against TP-Link Archer AX21 routers.
- The vulnerability is an unauthenticated command injection in the locale API, exploitable via the write operation on the country form using merge_config_by_country and popen, with no input sanitization.
- Exploitation occurred on LAN and WAN interfaces, including a WAN-side race condition; TP-Link released a patch on March 17, and exploitation was observed in the wild after patch deployment.
- Mirai downloads and executes architecture-specific binary payloads from its C2 via HTTP requests after exploiting CVE-2023-1389.
- The payloads are installed using a brute-force method to find the appropriate binary for the target architecture, after which the host connects to Mirai C2.
- XOR-based obfuscation (0x00 and 0x22) is used to conceal strings, including User-Agent and server headers, complicating detection.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The race condition issue related to iptable handling on the TP-Link’s WAN-side processing that would briefly expose this functionality on the WAN-side. “Starting on April 11th, we began seeing notifications… threat actor had started to publicly exploit this vulnerability.”
- [T1059.004] Unix Shell – The vulnerability uses a command string executed via the popen function; there is no sanitization of the country field, so an attacker can achieve command injection at this point. “This function will call merge_config_by_country that concatenates the specified country field into a command string. This command string will be executed using the popen function. There is no sanitization…”
- [T1105] Ingress Tool Transfer – The binary payloads are downloaded and then executed via C2 to support platform-specific architectures. “The binary payloads are downloaded and then executed…”
- [T1071.001] Web Protocols – Mirai C2 communications over HTTP to download and execute payloads. “The attackers utilize CVE-2023-1389 to make an HTTP request to the Mirai command and control (C2) servers to download and execute a series of binary payloads.”
- [T1027] Obfuscated/Compressed Information – Strings are encrypted with 0x00 and 0x22 as XOR keys, revealing configuration details when decrypted. “threat actors are encrypting strings using 0x00 and 0x22 as XOR keys…”
Indicators of Compromise
- [Hash] Initial Downloader – 888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8 and 1 more hash
- [Hash] Payloads – b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c and b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3
- [URL] http[://]185[.]225[.]74[.]251/armv4l, http[://]185[.]225[.]74[.]251/armv5l, and 11 more URLs
- [Domain] zvub[.]us
- [IP Address] 185[.]225[.]74[.]251