Threat actors are seen leveraging a Mirai botnet variant called V3G4 in several campaigns targeting 13 unpatched vulnerabilities found in a range of IoT devices to propagate. A successful exploit could lead to remote code execution.
Mirai is a well-known threat, known for evolving its tactics to exploit devices to its control and for expanding its botnet.
Three campaigns from July to December 2022 has been examined, in those upon exploit, the wget and curl utilities automatically executed to download Mirai client samples from malware infrastructure and then executed the downloaded bot clients.
V3G4 inherits its most significant feature from the original Mirai variant. Like the original Mirai, it also encrypts all credentials with XOR key 0x37.
The threat actors behind Mirai were most recently observed exploiting a known critical vulnerability, CVE-2022-46169, found in the Cacti device monitoring tool. The attacks aimed to deliver Mirai malware and a PERL-based IRC botnet. Successful exploits spurred the launch of a host-based reverse shell.
Researchers observed that once compromised by the V3G4 variant, the attackers can fully control the device and the platform becomes part of the botnet. Later it can be used to deliver array of attacks
V3G4 will then initialize the table of telnet/SSH login credentials in the scanner function, before spreading through brute forcing network devices that leverage weak username and password combinations.
- The botnet client establishes a connection with the C2 server
- The malware will first initialize all DDoS attack functions.
- The client establishes a connection with the C2 server, the threat actor can issue commands to the client to launch DDoS attacks.
Devices targeted by this campaign and respective vulnerabilities
- CVE-2012-4869: FreePBX Elastix RCE Vulnerability
- Gitorious RCE Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam RCE Vulnerability
- Mitel AWC RCE Vulnerability
- CVE-2017-5173: Geutebruck IP Cameras RCE Vulnerability
- CVE-2019-15107: Webmin Command Injection Vulnerability
- Spree Commerce Arbitrary Command Execution Vulnerability
- FLIR Thermal Camera RCE Vulnerability
- CVE-2020-8515: DrayTek Vigor RCE Vulnerability
- CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
- CVE-2022-36267: Airspan AirSpot RCE Vulnerability
- CVE-2022-26134: Atlassian Confluence RCE Vulnerability
- CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability
These vulnerabilities have a lower attack complexity than observed with previously observed botnet variants, but still manage to maintain a critical security impact able to enable remote code execution. Evidence revealed the use of the same hardcoded C2 domains, nearly identical malware shell script downloaders, and the same XOR decryption key used in each campaign.
The TTP used in these campaigns is not new for Mirai, which is well known for its tactics that co-opt IoT devices for launching DDoS attacks. A spike in Mirai activity in February 2022 corresponded with the disclosure of Spring4Shell, a zero-day campaign on the Java web application framework, Spring Core.
Much like the recent campaigns, the previous attacks enabled unauthenticated remote code execution and further expanded the Mirai botnet.
This research was documented by researchers from Palo Alto Unit 42
Indicators of Compromise
Malware Host
- 176.123.9[.]238
- 198.98.49[.]79
- 104.244.72[.]64
Shell Script Downloader
- 0837de91aa6bd52ef79d744daba4238a5a48a79eb91cb1a727da3e97d5b36329
- c32f8df3cb019e83e0ac49ab0462c59ec70733c3d516ade011727408751c9d42
- f295904d966889afb0f6b3625e504a1420a978434e2b6a9e9b85b688a44593fa
V3G4 Sample
- 7bc99c87a1e0582b5f15f40141226862fbe726b496e1e77c7f95993e8e945733
- 88f7b9a8c4f9bb28582c485549b328d6123e8aea33009ce7657f7fc0ef829e03
- 64545e94daafba191669333e1dd0c6e1190df47e0742bd515911cce0cdbd4fd1
- 69bb44736817dabe88e3014c6207ba702f644fb43f6feaec23091af0b5224bc6
- eaa387fcc12f2d8a7d42f12d27e7dccb4f3e11492a7d3a3a1ce830a11b539d28
- a987d1e113b858d21596bb2dfffe79721d5149bfa782e693aafc0cf47aa8c6dc
- afca95eb143e0180f1594517a44b2d226a2e44de5cbd2cd49b8c6cdb2a0b61ee
- b651f9320f07d7eade9af523297b4bcfd0e0af187272e368e889c988a55ed78e
- 6229041985c466c131e48b9ba0d1bb80bdb7556c941ee84aa461fe2efbf1e853
- 1dc4777dac6dc4e8c650241e211311c4a418a35ebded72fcdd6bcb965ccf918b
- 3e69e8ed741ab39b0914f7e95bf13b2f0ae9f3c1227dcffdea3369e03e8bb792
- b2e4ee94783062658ddf2c41e9acafb401d0f93e3848c027383a5ca19289b786
- dd91943b0d453ace3b19779c88da19c9a386dd3e9d2322c85a4cdcf84a22c663
- a93d999dc0515066c5c2a261f1be47233b358889d0594c14409309818d86347d
- 31926da5ca004a11c1f46947edb220afe3a53f81cf245b3afae7ea1abaec7c38
- eed4690f6e4d92b511fcde9a712b1a8405c5333e0ad78a4c676a64b22412e149
- 210f3f1ffd2ec66a5076a7fea5d83caa8bbcdb0f3bc3bd030c77eded6f4b5d90
- 73cc00acc478bf09658a679a4689f34598fe6e92086efe82900242f3cc5b7aec
- 1218da43a62da76927484bca73a3eee53425c54625147f8d01149bcef2f09d1e
- 2944db28e4505fc439599dae15b10bf57b7cf6c2597f618f41b99bfc65443c61
- 4bffc171c0748cc9e3398b1ce8135b125f54f46752768c981c45d3390e8359a1
- b3a17934f6f72941b9a60097ab09228d873a2f8737ee0ea93b08e5f1cc3916d1
- 916e00391279b014e53d73c2216a84bd528e18f1f633ba0101288aa963f77c5b
- 7dea8dac3f455f3a57fecfa5a047439126556858c239e73cd8feec2dc13bae2c
- a10ce475f64f3821ab32c88f6b013effd40843dd575ceaab46a57f134c2478b6
- d9b5199f36fc416d8a87d798926e0d9dcbb2fe97610cf08d6887dae1355e9439
- feda096ed8ddf4206365d326b3b7cb2d57ca1e89999b0b1da80fb9658dff6e44
- 1cf3879d9e93d1ff30ce5ec0f64ff15b1db7d8237160c83efed688d800e5ef12
- c5be50880e2b5a8a8d43a5f1fd6f5d36fc665ab9b4031a9b6a4d52222004c2c1
- 9b7f36cabbb90dfe9cd75f12c01fb64766dd1ec0f4247dbf8f4477dd64407fbf
- 7d9cdf3afb1d52f49d82b1ffe28a3da08c6aeeaa8c5047ba37c73802d2cd9ec2
- 9a0d39265b53e1959df49dbc8727ad344abc12a8bc0bd8d8b76f8b150525dca6
- d00fbfc439cb9c5c850690134b0d51f262021c0d04d9934df464980c346c1dc5
- b4f23a88de9b566ce980a8188674319039d2fbe13b049859f8fe4821c92f9200
- 3f3fb70e16d65f5f4b21777b87c9aae6072022c3dfbefd177f37c8aef4a6aeee
- 67379740ed15e8da8604cc1f0ea715c8641674de66e553c461b3ae782a5d0cbe
- ab3d61a76197003822252124e89987d061d6a4a33b9891cea778d3708cd50447
- 6f654198e8efd5aff1c7a903353967d0e96aeff0402cb0a79fabbc10d18c63d2
- c288c200cf7bbebe7a81fd42ca1bd4c6cb6080f28f2cec297a0d3e6aff7876fe
