New Mirai Variants Targeting Latest Vulnerabilities in IoT Devices
During April, we have observed new Mirai Malware Variants for IoT devices trying to exploit the following vulnerabilities:
CVE-2024-3721
A command injection vulnerability in TBK DVR devices. More than 114,000 devices on the internet were found vulnerable, published on 13/04/2024.
CVE-2024-3273
A command injection vulnerability in D-Link NAS devices. More than 5,500 vulnerable devices on the internet, published on 03/04/2024.
Campaign Overview
This campaign was initially observed starting on 10/04/2024, soon after the exploit for CVE-2024-3273 became available. Subsequently, on 15/04/2024, the exploitation of CVE-2024-3721 began from the same attacker.
We are fully confident that it is the same actor behind both exploits, as the IP addresses and malware samples were identical for both vulnerabilities.
MIRAI Samples Malware Analysis
The botnet attempts to install the same malware across different UNIX architectures. We were unable to identify the specific variant of Mirai, as the source code was made public several years ago. We will refer to the samples as MIRAI UNK001. The following architectures are targeted:
We used only one sample for the arm7 architecture for analysis. Through static malware analysis, we can draw the following conclusions:
- The ELF malware incorporates an anti-debugging function designed to impede analysis. It achieves this by introducing irrelevant variables and locations, making debugging attempts more challenging. Additionally, addresses are dynamically resolved at runtime, adding another layer of complexity to analysis.
- It has a function that ensures that malware is executed only one time in a instance called “ensure_single_instance”. This function ensures that only one instance of a program can bind to a particular address and port combination. It attempts to create a socket, bind it to a specific address and port, and if successful, puts it into listening mode. If the binding fails, it retries after cleaning up and possibly killing any conflicting processes.
- The malware dynamically resolves the Command and Control (C2) address after which it performs DNS lookup. This process is also done dynamically. The malware employs different domains for the Command and Control, and the function appears to be designed to accommodate multiple potential address sources or fallback values.
- After completing these steps, the malware initiates communication between the compromised IoT device (client) and the botnet's command and control (C2) server. All communication between the botnet client and the C2 server is encrypted using four XOR operations. Initially, the malware initializes a table with encrypted strings, followed by the execution of the encryption function, as illustrated in Figure 4. Similar patterns have been observed in Mirai Variant V3G4, which was discovered by Palo Alto Networks. More details about this variant can be found in the following link: Mirai Variant V3G4.
- Also it has functions to control tcpdump, wireshark etc. This doesn’t seem to be used to stop them, but to manipulate and control them. Once the address is loaded into a register, the program can use it to reference or manipulate the string as needed.
- In the next steps all attack methods are initialized as below:
The operator also has the possibility to start or stop this attacks.
• Another interesting feature is also the presence of a function that performs SSDP search in the local network to find other devices that can be infected.
Other properties that this malware is performing are the following:
• Attempting to move to “root” directory.
• Searching for and reading all directories with write permissions.
• Creating a watchdog process to ensure malware persistence. This step is crucial for preventing reboots and security scans.
Conclusions
The vulnerabilities being exploited are easily exploitable, primarily via command injection, leading to immediate compromise. This likely explains why threat actors operating botnets are targeting these newly discovered vulnerabilities. Additionally, we observed the botnet exploiting other vulnerabilities and conducting further reconnaissance. The graph below illustrates the activities of this botnet herder over the past month.
Indicators of Compromise
HASHES
66645f119cbaa36252f66cb8722d746a473373fbd2b950820eae410fba51e069
7dcf8b23963955c76a0f6eb899535b305be3b610339f37f5999468ce798387a9
12d3801e4b687f0f4a7c148fef32a93e616f2d1712c7da1011bbb7285962776d
57387202c335220f7e19bbb08758a735d3307ae45e3fbe6ee1e1bffe9e3da53d
6cdbd277871a8643a5e427327e6a6148aa8879924e2dfff386f427ea628850d4
5ed4d4915983c5e9a0a278cfc141eb7a06b36561c3a453b44c44e586cdb24cce
5708a0cd5cbbeb8daab604087f0f3247650ccc0ad2716e741cb3c9a4637b4b0e
08c1a1d39c086ea5dceea92ac8a691ee6e14f53402fcd0c305bfc8a1f56e7598
7452a8cd6d737917f4d19adcef67e8cc47b643da9d703a37fb2af6644a78edc1
3047aa6b83dba78f93516c1dec0052a316bac2c99166d148e561f7affc883d29
c079ec66437fd9b9f449f668c56ac23fe544fef4d20b9a8509e169b11c4538c0
32775db1d7efdbab9bcc8c3b856a4168700f3b6b3aedb276f42dbc24cf86b1a9
648fcb9bac190539eda0026332834bb94f935c3c2817864d8d26f21bdd35989b
DOMAINS
tcpdown[.]su
cpdown[.]su
down[.]su
wn[.]su
IPs
104[.]168[.]32[.]17
104[.]168[.]45[.]11
172[.]245[.]119[.]63
172[.]245[.]119[.]70
185[.]216[.]70[.]168
185[.]216[.]70[.]169
185[.]216[.]70[.]250
198[.]12[.]124[.]76
89[.]198[.]54[.]22
62[.]122[.]170[.]171