Mirai bot found targeting vulnerabilities in several popular router models

Home / Threat Intelligence bulletins / Mirai bot found targeting vulnerabilities in several popular router models

Target Industry

Indiscriminate, opportunistic attacks.

Overview

The Mirai botnet was discovered targeting 22 different known vulnerabilities within D-Link, Zyxel and Netgear devices for the purposes of distributed denial-of-service (DDoS) attacks intended to disrupt or stall targeted networks. Signs of a compromise within a device have been identified as persistent issues with slow connection, device overheating and significant changes within the device’s configuration.

The list of known vulnerabilities that include a wide range of techniques are as follows:

Vendors of the devices are urging users to upgrade to newer models as many of the targeted models are no longer supported by security updates.

Impact

If Mirai successfully exploits a device, it will gain full control to launch disruptive DDoS attacks on other victim systems. Victim systems in the control of Mirai will experience significant drops in performance and potentially a complete loss of functionality.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.

Affected Products

D-Link, Zyxel and Netgear devices.

Containment, Mitigations & Remediations

It is strongly recommended that the following mitigation steps are adhered to in order to harden the network defences against all variations of botnet infections:

  • Update Internet of Things (IoT) devices to the latest product versions
  • Reconfigure the factory setting log-in keys, as well as the default username and password of IoT devices
  • Implement network segmentation to ensure that all IoT devices are on a separate network from systems critical for daily operations
  • Use and maintain anti-virus software
  • Implement an official password policy.

Moreover, as previously stated, one main method of reducing the threat of the Mirai botnet is to detect it in the early stages, whilst implementing an effective and monitored EDR solution. An effective EDR tool will increase detection of malicious attempts of Mirai botnet compromise and halt the malware’s progress if detected.

Indicators of Compromise

Mirai associated file hashes (SHA256):

  • 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
  • d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
  • 63144e6dac91587994fe1bbefac136fa2e2125d6fd1e6801dfc08b2926eec3de
  • 8f5d60f0e71b599b733a27d5a5ba0ff91206f3e75eba8bd385ab825e714e7958
  • 18276e79cc58a360403a96f521a6b9f42a36b72118e360729ed133362491abbb
  • 15d0abbcac44279d7da861bc85bd6729dd03f2a30dec2266d6bd996ea2450ac4
  • 2a4dcf829c12ec95ba28dac2b86f81f07175d01062acf3d9d214cabc4c833329
  • 698ad3cf447ed2c0110f86c62e869549a38928119723a378b265aa6e7e7913ad
  • 82c2a0083197211652ff2bae93178f180623743413db984620c9cabee7bcb9aa
  • 99304556d481fd8a26c3c036da44d1095c954030b417fceab35c451bad9a60f1
  • 9b48fb10044af546980b95f463c07de9a5d5215148a87a4d325c9b276fdb2ca9
  • 9bdec01d0697f6e2b42d7f6ff19f6fd93a17e4c3bf46bb527c64261312dbd2b3
  • 9f0bcc84b4b8bb2b0b4dac88c3baa121fd1cdab0296c2641af312740935171de
  • ad6708e2ad0be6c5136f7e1296659f49f433101e083c4120a6f8b0e229f608df
  • bee1ced511ee04f45aae72e6a4b17ea25a96f292e9fb04e3acb350741a9b0a37
  • c8a5f3eddc9054111d33f4ad6b958a0f921b9f3c409e04ebaa3ef8dfffea4918
  • cd9a4876f6c8443fb47c24b5c0a8d43ae09510676fb611632f97cf87dbeb5a03
  • f6315b5061b882cf15b9f7fd7d4465d24f13ec1f80eddd9790c9a382fff38391
  • 13be2734c52f1f2b4b5d52824a16d44298e8aded6e62419c153cce3b08002a32
  • 37b485beeba6a863a9e19043bdece704df27ec5554f7a03ca53486fe88136766

 

Mirai associated domains:

cnc[.]nekololis[.]wtf

  • j[.]xnyidc[.]top
  • pxp[.]softdetails[.]in
  • huydeptrai[.]zapto[.]org
  • shop[.]loveday[.]cloud
  • botnet[.]nso-senpai[.]site
  • ezz[.]nulling[.]to
  • heikexiaolin1[.]f3322[.]net
  • scan[.]nulling[.]to
  • ingoditrust[.]ddns[.]net
  • Mirai associated IP addresses:
  • 45[.]66[.]230[.]32
  • 119[.]178[.]168[.]246
  • 117[.]216[.]28[.]247
  • 111[.]172[.]59[.]200
  • 121[.]226[.]38[.]92
  • 125[.]126[.]102[.]77
  • 163[.]179[.]217[.]22
  • 27[.]45[.]33[.]247

 

Mirai associated URLs:

  • hxxp[://]111[.]172[.]59[.]200:33687/Mozi[.]m
  • hxxp[://]117[.]216[.]28[.]247:43584/Mozi[.]m
  • hxxp[://]121[.]226[.]38[.]92:52151/Mozi[.]m
  • hxxp[://]125[.]126[.]102[.]77:55865/Mozi[.]m
  • hxxp[://]163[.]179[.]217[.]22:36832/Mozi[.]m
  • hxxp[://]27[.]45[.]33[.]247:45482/Mozi[.]m
  • hxxp[://]45[.]66[.]230[.]32/hiddenbin/boatnet[.]arm
  • hxxp[://]45[.]66[.]230[.]32/hiddenbin/boatnet[.]arm6
  • hxxp[://]45[.]66[.]230[.]32/hiddenbin/boatnet[.]arm7
  • hxxp[://]45[.]66[.]230[.]32/hiddenbin/boatnet[.]ppc
  • hxxp[://]45[.]66[.]230[.]32/hiddenbin/boatnet[.]spc
  • hxxp[://]45[.]66[.]230[.]32/hiddenbin/boatnet[.]x86
  • hxxp[://]119[.]178[.]168[.]246:33723/Mozi[.]m

 

Threat Landscape

Regardless of the fact that the creators of the Mirai botnet malware were apprehended, the source code of the malware was subsequently released into the wild and, as such, Mirai and other botnet variants pose a significant threat to unprotected IoT devices and the associated networks.

Since being released on the dark web, the Mirai source code is continuously being altered by threat actors to create more advanced versions of the malware. To date, these have included Okiru, Satori, Masuta and PureMasuta. Due to the open access nature of the source code as well as IoT markets continuing to develop in notoriety, it is highly likely that further variants will continue to emerge, leading to the potential of future attack efforts.

Threat Group

The Mirai botnet was originally created by university students Josiah White, Paras Jha and Dalton Norman in 2016 and they have since been charged with its creation. As the creators published the code publicly it has been adopted and modified by threat actor groups.

Mitre Methodologies

Resource Development

T1584.005 – Compromise Infrastructure: Botnet

Further Information

IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits

 

An Intelligence Terminology Yardstick to showing the likelihood of events