New Variant of Mirai Malware Using 13 Different Exploits to Hack Routers Including D-Link, Linksys, GPON, Netgear, Huawei
Researchers discovered a new wave of Mirai Variant that used 13 different exploits to attack various router models and other network devices.
These exploits are associated with this new Mirai variant capable of launching backdoor and distributed denial-of-service (DDoS) attacks.
Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.
Mirai targets several different routers including D-Link, Linksys, GPON, Netgear, Huawei and other network devices such as ThinkPHP, multiple CCTV-DVR vendors, UPnP, MVPower digital video recorders, and Vacron network video recorder.
This is the first time to have used all 13 exploits together in a single campaign including some of the exploits that used in the previous attack.
Initially, the new variant of Mirai found in the honeypot system that deployed by Trend Micro and it looking for the IoT devices to exploit several vulnerabilities that include remote code execution (RCE), authentication bypass and command injection.
According to Trend Micro ” It showed that this malware used different means of spreading, and also revealed its use of three XOR keys to encrypt data. Decrypting the malware’s strings using XOR revealed one of the first relevant indicators of the malware’s being a Mirai variant.”
Mirai variant Exploits
Researchers found different URL’s that is associated with Mirai variant including the command-and-control (C&C) link and download and dropper links.
New Mirai variant code reveals more information about infection process, especially, first 3 exploits scanning the specific vulnerabilities in ThinkPHP, certain Huawei,Linksys routers and also a scanner for other 10 vulnerabilities used in this attack.
It also performs a Brute force attack using capabilities using several common credentials.
Mirai Variant associated exploits taking advantage of the different vulnerabilities that found in the routers, surveillance products, and other devices
| Exploit | Vulnerability and affected devices | Relevant attacks | |
| 1 | Vacron NVR CVE | A remote code execution (RCE) vulnerability for Vacron network video recorder (NVR) devices | Omni |
| 2 | CVE-2018-10561, CVE-2018-10562 | Authentication bypass and command injection vulnerabilities, respectively, for the Dasan gigabit passive optical network (GPON) routers | Omni Mirai-like scanning |
| 3 | CVE-2015-2051 | Home Network Administration Protocol (HNAP) SOAPAction-header command execution vulnerability that works on certain D-Link devices | Omni Hakai |
| 4 | CCTV-DVR RCE | RCE vulnerabilities for multiple CCTV-DVR vendors | Omni Yowai |
| 5 | CVE-2014-8361 | Universal Plug and Play (UPnP) Simple Object Access Protocol (SOAP) command execution vulnerability affecting different devices using Realtek software development kit (SDK) with the miniigd daemon | Omni |
| 6 | UPnP SOAP TelnetD command execution | UPnP SOAP command execution exploiting vulnerabilities in D-Link devices | Omni |
| 7 | Eir WAN side remote command injection | Wide area network (WAN) side remote command injection for Eir D1000 wireless routers | Omni |
| 8 | Netgear Setup.cgi RCE | RCE targeting Netgear DGN1000 devices | Omni |
| 9 | CVE-2016-6277 | Vulnerability that can allow the execution of remote arbitrary commands in Netgear R7000 and R6400 devices | Omni VPNFilter infection |
| 10 | MVPower DVR shell command execution | Unauthenticated RCE vulnerability in MVPower digital video recorders (DVRs) | Omni |
| 11 | CVE-2017-17215 | Arbitrary command execution vulnerability in Huawei HG532 routers | Omni Satori Miori |
| 12 | Linksys RCE | RCE vulnerability in Linksys E-series routers | TheMoon |
| 13 | ThinkPHP 5.0.23/5.1.31 RCE | RCE for open-source web development framework ThinkPHP 5.0.23/5.1.31 | Hakai Yowai |
Among all 13 vulnerabilities, 11 had been already used in the previous Mirai variant campaign in 2018 and other 2 exploits are completely new that can be used against Linksys and ThinkPHP RCEs.
The attacker behind this new variant could have simply copied the code from other attacks, and with it the exploits these previous cases had used.
Users are recommended to change the default credentials in the router to prevent the credential based attacks.
Indicators of Compromise (IoCs)
Related SHA-256 hash detected as Backdoor.Linux.MIRAI.VWIPT:
c15382bc81e1bff4cf03d769275b7c4d2d586a21e81ad4138464d808e3bb464c Related malicious URLs: C&C : hxxp://32[.]235[.]102[.]123:1337Download Link and Droppers hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.arm7 hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.mips hxxp://ililililililililil[.]hopto[.]org/love.sh Used credentials: 12345 666666 888888 20080826 /ADMIN/ 1q2w3e4r5 3ep5w2u admintelecom anko cisco default e8ehome e8telnet guest hi3518 hi3518 hunt5759 [email protected] ipcam_rt5350 juantech juantech jvbzd jvbzd klv123 klv1234 klv1234 password qwerty QwestM0dem service service smcadmin supervisor support svgodie system telecomadmin ubnt xc3511 xmhdipc xmhdpic zsun1188 Zte521
This post New Variant of Mirai Malware Using 13 Different Exploits to Hack Routers Including D-Link, Linksys, GPON, Netgear, Huawei originally appeared on GB Hackers.
