Experts warn of new campaigns leveraging Mirai and Gafgyt variants

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.

Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network.

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis.

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

root/t0talc0ntr0l4! – default credentials for Control4 devices
admin/adc123 – default credentials for ADC FlexWave Prism devices
mg3500/merlin – default credentials for Camtron IP cameras

Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Mirai, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.