Pierluigi Paganini July 14, 2020

Researchers spotted a new version of the Mirai IoT botnet that includes an exploit for a vulnerability affecting Comtrend routers.

Malware researchers at Trend Micro have discovered a new version of the Mirai Internet of Things (IoT) botnet that includes an exploit for the CVE-2020-10173 vulnerability impacting Comtrend routers.

The Mirai botnet was first discovered in August 2016 by the MalwareMustDie researcher Mirai source code, two months later its source code was leaked online.

Since 2016, security experts have discovered numerous variants of the Mirai botnet such as Masuta, Okiru, Satori, Mukashi, SORA, and Tsunami.

The new variant spotted by Trend Micro researchers targets the CVE-2020-10173 authenticated command injection vulnerability in the Comtrend VR-3033 routers.

Experts believe that vulnerability impacting Comtrend routers will likely be exploited by other DDoS botnets.

This flaw is exploited along other security vulnerabilities impacting routers, IP cameras, and other IoT devices.

“The vulnerabilities used by this Mirai variant consist of a combination of old and new that help cast a wide net encompassing different types of connected devices. The nine vulnerabilities used in this campaign affect specific versions of IP cameras, smart TVs, and routers, among others.” reads the analysis published by Trend Micro.

“As mentioned earlier, the most notable of these vulnerabilities is CVE-2020-10173, a Multiple Authenticated Command injection vulnerability found in Comtrend VR-3033 routers. Remote malicious attackers can use this vulnerability to compromise the network managed by the router.”

Despite the availability of a proof of concept (POC) for this vulnerability, this is the first time that an exploit for issue is exploited by a Mirai variant.

This Mirai variant also includes an exploit for a relatively recent issue in Netlink GPON routers that was also included the Hoaxcalls botnet.

The Mirai variant analyzed by Trend Micro also includes another five old vulnerability:

• AVTECH IP Camera / NVR / DVR Devices – Multiple Vulnerabilities
• D-Link Devices – UPnP SOAP Command Execution
• MVPower DVR TV-7104HE 1.8.4 115215B9 – Shell Command Execution
• Symantec Web Gateway 5.0.2.8 Remote Code Execution
• ThinkPHP 5.0.23/5.1.31 – Remote Code Execution

“The use of CVE-2020-10173 in this variant’s code shows how botnet developers continue to expand their arsenal to infect as many targets as possible and take advantage of the opening afforded by unpatched devices. Newly discovered vulnerabilities, in particular, offer better chances for cybercriminals.” conlcuded Trend Micro. “Users, not knowing that a vulnerability even exists, might be unable to patch the device before it is too late.”

Pierluigi Paganini

(SecurityAffairs – botnet, Mirai)

[adrotate banner=”5″]

[adrotate banner=”13″]