The Mirai botnet is a malicious network of infected computers, routers, and IoT devices harnessed by cybercriminals to launch large-scale DDoS attacks.
The destructiveness of Mirai lies in its ability to compromise and control a multitude of connected devices that enables its operators to do the following illicit things:-
-
Disrupt online services
-
Cause widespread internet outages
In late October 2023, Akamai SIRT researchers observed increased activity in their honeypots targeting an uncommon TCP port. They found that hackers are actively exploiting the 0-day RCE flaws in the wild to deploy Mirai malware.
The probes, starting with a burst and peaking at 20 attempts daily, focused on authentication via a POST request and command injection.
The targeted devices were unknown until November 9, 2023. When an unusual HTTP response header was found during an internet-wide scan, doubts were first expressed regarding the authenticity of the machines that were found to match the intended profile.
Document
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Hackers Exploiting 0-day RCE Flaws
Akamai SIRT observed a rise in activity targeting a rarely used TCP port, revealing a potential zero-day exploit in NVR devices. The attack involved client-side JavaScript encryption on landing pages, leading to plaintext credentials.
Further investigation pointed to a specific NVR manufacturer, confirming the observed default credentials from their product manuals. The vendor acknowledged the zero-day and plans a fix by December 2023.
Additionally, the campaign showed a second zero-day exploit targeting outlet-based wireless LAN routers for hotels and residential use, with details expected in December from the respective vendor.
This Mirai botnet activity, centered around the JenX variant, notably recruits IoT devices using Grand Theft Auto. The C2 domains share IP overlaps and synchronized infrastructure changes.
Notably, IP addresses had limited C2 domain resolutions, unlike the common pattern. The JenX Mirai variant prints a unique string upon compromise, like ‘gosh that Chinese family…’ possibly linked to the dull domain names.
One malware sample associated with this behavior was sent to the domain ‘iaxtpa[.]parody’ from the C2 IP 45.142.182[.]96.
C2 addresses link to CIDR block 5.181.80.0/24, and the domains show overlap in IP resolutions, changing at specific times. The cluster uses JenX and hailBot Mirai variants. JenX filenames are “jkxl,” and hailBot filenames are “skid.”
ELF binary links (Source – Akamai)
Sample “skid.mpsl” echoes this string, sourced from C2 server 5.181.80[.]120, connecting to husd8uasd9[.]online. DStatCC channel mentions C2 infrastructure; the user with a deleted Telegram account references “infectedchink[.]cat” as “old ICANN domain.”
Current domains run over OpenNIC, while the user lists proxy infra IPs and shares bot screenshots (Telnet, Vacron, ntel, UTT-Bots). PasteBin dump by “ @RedDrip7 ” reveals C2 domains targeting Russian news sites in May 2023. Mirai’s code in October 2023 is unchanged from April 2023, indicating minimal modification.
IOCs
SHA256SUMs:
dabdd4b5a3a70c64c031126fad36a4c45feb69a45e1028d79da6b443291addb8 arm3f3c2e779f8e3d7f2cc81536ef72d96dd1c7b7691b6e613f5f76c3d02909edd8 arm575ef686859010d6164bcd6a4d6cf8a590754ccc3ea45c47ace420b02649ec380 arm6f8abf9fb17f59cbd7381aa9f5f2e1952628897cee368defd6baa6885d74f3ecc arm78777f9af3564b109b43cbcf1fd1a24180f5cf424965050594ce73d754a4e1099 kdvrarm7ac43c52b42b123e2530538273dfb12e3b70178aa1dee6d4fd5198c08bfeb4dc1 mipsa4975366f0c5b5b52fb371ff2cb034006955b3e3ae064e5700cc5365f27a1d26 mpslcd93264637cd3bf19b706afc19944dfb88cd27969aaf0077559e56842d9a0f87 nigga.sh8e64de3ac6818b4271d3de5d8e4a5d166d13d12804da01ce1cdb7510d8922cc6 ok.sh35fcc2058ae3a0af68c5ed7452e57ff286abe6ded68bf59078abd9e7b11ea90a ppc7cc62a1bb2db82e76183eb06e4ca84e07a78cfb71241f21212afd1e01cb308b2 sh429f11b5d4dbd6d06d4906b9035f5787e16f9e23134a2cc43dfc1165127c89bff spccfbcbb876064c2cf671bdae61544649fa13debbbe58b72cf8c630b5bfc0649f9 x86a3b78818bbef4fd55f704c96c203765b5ab37723bc87aac6aa7ebfcc76dfa06d mpslac43c52b42b123e2530538273dfb12e3b70178aa1dee6d4fd5198c08bfeb4dc1 mips
Malware samples:
arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, strippedarm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, strippedarm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, strippedarm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not strippedkdvrarm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not strippedmips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, strippedmpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, strippednigga.sh: ASCII textok.sh: ASCII textppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, strippedsh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, strippedspc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, strippedx86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
