Pierluigi Paganini January 29, 2025

A new variant of the Mirai-based botnet Aquabot targets vulnerable Mitel SIP phones to recruit them into a DDoS botnet.

Akamai researchers spotted a new variant of the Mirai-based botnet Aquabot that is targeting vulnerable Mitel SIP phones.

Aquabot is a Mirai-based botnet designed for DDoS attacks. Named after the “Aqua” filename, it was first reported in November 2023.

As this is the third distinct iteration of Aquabot, Akamai tracked this variant as Aquabotv3. The bot targets the command injection vulnerability CVE-2024-41710 that impacts Mitel models.

“This third iteration adds a novel activity for a Mirai-based botnet: C2 communication when the botnet catches certain signals.” reads the report published by Akamai. “This, and other notable differences in functionality, separate the two versions significantly, supporting the distinction of a third variant.”

The malware targets the flaw CVE-2024-41710 that affects Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit through R6.4.0.HF1 (R6.4.0.136).

In mid-July 2024, Mitel addressed the vulnerability with the release of firmware updates. The vendor warned that the exploitation of the flaw “could allow an authenticated attacker with administrative privilege to conduct a command injection attack due to insufficient parameter sanitization during the boot process”.

A month later, the PacketLabs researcher Kyle Burns published a PoC exploit code for the vulnerability CVE-2024-41710.

Akamai states that there are not report of attacks exploiting this vulnerability in the wild prior to the SIRT’s observations in January 2025.

“The exploit proof of concept (PoC) shows us that an attacker could smuggle in entries otherwise blocked by the application’s sanitization checks by sending a specially crafted HTTP POST request.” continues the report. “In his GitHub README, Burns reported that he found that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, and he found multiple endpoints vulnerable to this. For the PoC, he focused on the endpoint “802.1x Support” (8021xsupport.html).”

This malware exhibits a unique behavior for a Mirai variant, it includes a function (report_kill) that reports to the command and control server when a kill signal is detected on the infected device.

Like other botnets, Aquabot v3 targets additional vulnerabilities in various products, including Hadoop YARN, the Roxy-WI web interface, and routers from Linksys, Teltonika, Dasan GPON, and LB-LINK.

The threat actors behind Aquabot have been advertising it as a DDoS-as-a-service on platforms like Telegram under various misleading names, such as Cursinq Firewall and The Eye Botnet. They often claim it is for DDoS mitigation testing, but experts pointed out that it spreads Mirai malware and is used for real attacks.

“In the case of Aquabot, the core malware is the same as Mirai but the signal handling is particularly unique. Unique, however, is not always the most useful — this malware was not particularly quiet, which could be to its detriment.” concludes the report that includes Indicators of Compromise (IoCs).

“The reason for the unique signal handling could be that the threat actor is intentionally observing a machine’s defensive activity to develop more stealthy variants in the future. It could also be used to detect active disruption/attacks from competing botnets or ethical take down campaigns, or any combination thereof.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)