Mirai malware variant V3G4 enables remote access to IoT devices via vulnerabilities

Sicherheit (Pexels, allgemeine Nutzung)[German]Palo Alto Networks has discovered a new variant of the Mirai malware. The Mirai variant V3G4 exploits multiple vulnerabilities in the firmware of IoT devices to allow remote access. Palo Alto Networks Unit 42 security researchers observed the Mirai variant, called V3G4, from July to December 2022, and once the vulnerable devices are compromised via multiple vulnerabilities, they become fully controlled by attackers and become part of the botnet.

The security researchers told me that the attacker has the ability to use these devices for further attacks, such as distributed denial-of-service (DDoS) attacks. The exploit attempts recorded by Palo Alto Networks security researchers use the vulnerabilities to spread V3G4, which targets unprotected servers and network devices running Linux.

Variant of the Mirai botnet

Based on the behavior and patterns Unit 42 researchers observed when analyzing the downloaded botnet client samples, they believe the botnet sample is a variant of the Mirai botnet. The researchers already observed three campaigns using the Mirai variant V3G4. Based on their analysis, Palo Alto Networks believes that the campaigns were run by the same attacker for the following reasons:

  • The hardcoded command-and-control (C2) domains of these three campaigns contain the same string (8xl9).
  • The malware shell script downloaders are nearly identical in all three campaigns.
  • The botnet client samples use the same XOR decryption key.
  • The botnet client samples use the same "stop list" (a list of target processes that the botnet client looks for and terminates).
  • The botnet client samples use almost identical functions.

The exploited vulnerabilities include:

Conclusion

The mentioned vulnerabilities are less complex than the previously observed variants, but still have critical security implications that can lead to remote code execution. Once an attacker gains control of a vulnerable device in this way, they could incorporate the newly compromised devices into their botnet to perform further attacks such as DDoS. It is therefore highly recommended to install patches and updates as soon as possible.

This entry was posted in devices, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *