A new Mirai botnet variant tracked as ‘V3G4’ targets 13 vulnerabilities in Linux-based servers and IoT devices to use in DDoS (distributed denial of service) attacks.
The malware spreads by brute-forcing weak or default telnet/SSH credentials and exploiting hardcoded flaws to perform remote code execution on the target devices. Once a device is breached, the malware infects the device and recruits it into its botnet swarm.
The particular malware was spotted in three distinct campaigns by researchers at Palo Alto Networks (Unit 42), who reported monitoring the malicious activity between July 2022 and December 2022.
Unit 42 believes all three attack waves originate from the same threat actor because the hardcoded C2 domains contain the same string, the shell script downloads are similar, and the botnet clients used in all attacks feature identical functions.
V3G4 attacks begin with the exploitation of one of the following 13 vulnerabilities:
- CVE-2012-4869: FreePBX Elastix remote command execution
- Gitorious remote command execution
- CVE-2014-9727: FRITZ!Box Webcam remote command execution
- Mitel AWC remote command execution
- CVE-2017-5173: Geutebruck IP Cameras remote command execution
- CVE-2019-15107: Webmin command injection
- Spree Commerce arbitrary command execution
- FLIR Thermal Camera remote command execution
- CVE-2020-8515: DrayTek Vigor remote command execution
- CVE-2020-15415: DrayTek Vigor remote command execution
- CVE-2022-36267: Airspan AirSpot remote command execution
- CVE-2022-26134: Atlassian Confluence remote command execution
- CVE-2022-4257: C-Data Web Management System command injection
After compromising the target device, a Mirai-based payload is dropped on the system and attempts to connect to the hardcoded C2 address.
The botnet also attempts to terminate a set of processes from a hardcoded list, which includes other competing botnet malware families.
A characteristic that differentiates V3G4 from most Mirai variants is that it uses four different XOR encryption keys instead of just one, making reverse engineering the malware’s code and decoding its functions more challenging.
When spreading to other devices, the botnet uses a telnet/SSH brute-forcer that tries to connect using default or weak credentials. Unit 42 noticed earlier malware variants used both telnet/SSH brute-forcing and vulnerability exploitation for spreading, while later samples did not use the scanner.
Finally, compromised devices are issued DDoS commands directly from the C2, including TCP, UDP, SYN, and HTTP flooding methods.
V3G4 likely sells DDoS services to clients who want to cause service disruption to specific websites or online services.
However, this variant has not been tied to a particular service at this time.
As always, the best way to protect your devices from Mirai-like infections is to change the default password and install the latest security updates.