ELF_IMEIJ, a new Linux malware is spreading in the wild

Pierluigi Paganini March 12, 2017

Security experts from Trend Micro discovered a new family of Linux malware, tracked as ELF_IMEIJ, targeting AVTech surveillance devices.

Security experts from Trend Micro discovered a new family of Linux malware that is targeting products from surveillance technology company AVTech exploiting a CGI vulnerability that was disclosed in 2016.

According to Trend Micro, the flaw was reported to AVTech in October 2016, but the vendor has never responded.

“The vulnerability was discovered and reported by Search-Lab, a security research facility, and was disclosed to AVTech on October 2016. However, even after repeated attempts by Search-Lab to contact the vendor there was no response.” reads Trend Micro.

The malicious code, tracked as ELF_IMEIJ.A, attempts to infect AVTech by exploiting an authenticated command injection residing in the CloudSetup.cgi, a CGI that is present in all AVTech devices that support the Avtech cloud.

“Devices that support the Avtech cloud contain CloudSetup.cgi, which can be accessed after authentication. The exefile parameter of a CloudSetup.cgi request specifies the system command to be executed.” reads the advisory published by Search-Lab. “Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges.” 

The ELF_IMEIJ malware is spread via RFIs in cgi-bin scripts. The attackers send a specific request to random IP addresses in the attempt of discovering vulnerable devices. The Trojan is delivered through a command injection that triggers the download of the malicious payload.

The targeted device is tricked into fetching the malicious file, changing the file’s permissions and then executing it locally.


“The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data.” continues Trend Micro. “It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself,” 

The researchers explained that the malware is able to execute shell commands from the malicious actors and also initiate Distributed Denial of Service (DDoS) attacks.

The ELF_IMEIJ Trojan only targets AVTech products, it uses the port 39999 in order to infect only devices with unsecured cgi-bin scripts.

Below a table that is used for a comparison of the Mirai malware with ELF_IMEIJ.A.

Affected Devices  Various AVTech
Used Ports 7547
Exploits Devices with BusyBox software installed by bruteforce Devices unsecured cgi-bin scripts to install the malware ELF_IMEIJ.A

“AVTech has over 130,000 different devices connected to the Internet, so this attack may be used to gain and maintain persistent access to these devices.” continues the analysis from Trend Micro. “The devices can also be turned into bots and used to drive large scale DDoS attacks. Like most connected devices, the targets are not secured by default and are impossible to directly monitor,” 

The discovery of the ELF_IMEIJ.A trojan shows the increasing interest of threat actors in targeting Linux devices.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ELF_IMEIJ, Linux  malware)

you might also like

leave a comment