New Mirai variant includes exploit for a flaw in Comtrend Routers

Researchers spotted a new version of the Mirai IoT botnet that includes an exploit for a vulnerability affecting Comtrend routers.

Malware researchers at Trend Micro have discovered a new version of the Mirai Internet of Things (IoT) botnet that includes an exploit for the CVE-2020-10173 vulnerability impacting Comtrend routers.

The Mirai botnet was first discovered in August 2016 by the MalwareMustDie researcher Mirai source code, two months later its source code was leaked online.

Since 2016, security experts have discovered numerous variants of the Mirai botnet such as Masuta, Okiru, Satori, Mukashi, SORA, and Tsunami.

The new variant spotted by Trend Micro researchers targets the CVE-2020-10173 authenticated command injection vulnerability in the Comtrend VR-3033 routers.

Experts believe that vulnerability impacting Comtrend routers will likely be exploited by other DDoS botnets.

This flaw is exploited along other security vulnerabilities impacting routers, IP cameras, and other IoT devices.

“The vulnerabilities used by this Mirai variant consist of a combination of old and new that help cast a wide net encompassing different types of connected devices. The nine vulnerabilities used in this campaign affect specific versions of IP cameras, smart TVs, and routers, among others.” reads the analysis published by Trend Micro.

“As mentioned earlier, the most notable of these vulnerabilities is CVE-2020-10173, a Multiple Authenticated Command injection vulnerability found in Comtrend VR-3033 routers. Remote malicious attackers can use this vulnerability to compromise the network managed by the router.”

Despite the availability of a proof of concept (POC) for this vulnerability, this is the first time that an exploit for issue is exploited by a Mirai variant.

This Mirai variant also includes an exploit for a relatively recent issue in Netlink GPON routers that was also included the Hoaxcalls botnet.

The Mirai variant analyzed by Trend Micro also includes another five old vulnerability:

“The use of CVE-2020-10173 in this variant’s code shows how botnet developers continue to expand their arsenal to infect as many targets as possible and take advantage of the opening afforded by unpatched devices. Newly discovered vulnerabilities, in particular, offer better chances for cybercriminals.” conlcuded Trend Micro. “Users, not knowing that a vulnerability even exists, might be unable to patch the device before it is too late.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – botnet, Mirai)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.