[German]Palo Alto Networks has discovered a new variant of the Mirai malware. The Mirai variant V3G4 exploits multiple vulnerabilities in the firmware of IoT devices to allow remote access. Palo Alto Networks Unit 42 security researchers observed the Mirai variant, called V3G4, from July to December 2022, and once the vulnerable devices are compromised via multiple vulnerabilities, they become fully controlled by attackers and become part of the botnet.
The security researchers told me that the attacker has the ability to use these devices for further attacks, such as distributed denial-of-service (DDoS) attacks. The exploit attempts recorded by Palo Alto Networks security researchers use the vulnerabilities to spread V3G4, which targets unprotected servers and network devices running Linux.
Variant of the Mirai botnet
Based on the behavior and patterns Unit 42 researchers observed when analyzing the downloaded botnet client samples, they believe the botnet sample is a variant of the Mirai botnet. The researchers already observed three campaigns using the Mirai variant V3G4. Based on their analysis, Palo Alto Networks believes that the campaigns were run by the same attacker for the following reasons:
- The hardcoded command-and-control (C2) domains of these three campaigns contain the same string (8xl9).
- The malware shell script downloaders are nearly identical in all three campaigns.
- The botnet client samples use the same XOR decryption key.
- The botnet client samples use the same "stop list" (a list of target processes that the botnet client looks for and terminates).
- The botnet client samples use almost identical functions.
The exploited vulnerabilities include:
- CVE-2012-4869: FreePBX Elastix remote code execution vulnerability.
- Gitorious: Gitorious remote code execution vulnerability
- CVE-2014-9727: Remote code execution vulnerability in FRITZ!Box webcam
- Mitel AWC: Remote code execution vulnerability
- CVE-2017-5173: Remote code execution vulnerability in Geutebruck IP cameras
- CVE-2019-15107: Webmin command injection vulnerability
- Spree Commerce: arbitrary command execution vulnerability
- FLIR thermal imaging cameras: remote code execution vulnerability
- CVE-2020-8515: Remote command execution vulnerability in DrayTek Vigor
- CVE-2020-15415: Remote command injection vulnerability in DrayTek Vigor
- CVE-2022-36267: Remote command execution vulnerability in Airspan Airspot
- CVE-2022-26134: Remote code execution vulnerability in Atlassian Confluence
- CVE-2022-4257: Command injection vulnerability in C-Data web management system
Conclusion
The mentioned vulnerabilities are less complex than the previously observed variants, but still have critical security implications that can lead to remote code execution. Once an attacker gains control of a vulnerable device in this way, they could incorporate the newly compromised devices into their botnet to perform further attacks such as DDoS. It is therefore highly recommended to install patches and updates as soon as possible.