A new Mirai botnet variant, tracked as “V3G4,” targets 13 vulnerabilities in Linux-based servers and IoT devices to be used for distributed denial of service (DDoS) attacks.
The malware proliferates by brutally forcing weak or standard Telnet/SSH credentials and exploiting hard-coded vulnerabilities to perform remote code execution on the targeted devices. Once a device is breached, the malware infects the device and recruits it into its botnet swarm.
The specific malware was discovered in three different campaigns by Palo Alto Networks (Unit 42) researchers who reported monitoring the malicious activity between July 2022 and December 2022.
Unit 42 believes all three waves of attacks came from the same attacker because the hard-coded C2 domains contain the same string, the shell script downloads are similar, and the botnet clients used in all attacks have identical functionality.
V3G4 attacks begin by exploiting one of the following 13 vulnerabilities:
CVE-2012-4869: FreePBX Elastix Remote Command Execution Gitorious Remote Command Execution CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Mitel AWC Remote Command Execution CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution CVE-2019-15107 : Webmin Command Injection Spree Commerce Arbitrary Command Execution FLIR Thermal Camera Remote Command Execution CVE-2020-8515: DrayTek Vigor Remote Command Execution CVE-2020-15415: DrayTek Vigor Remote Command Execution CVE-2022-36267: Airspan AirSpot Remote Command Execution CVE-2022 -26134: Atlassian Confluence Remote Command Execution CVE-2022-4257: C-Data Web Management System Command Injection Vulnerabilities Targeting by V3G4 (Unit 42)
After the target device is compromised, a Mirai-based payload is dropped on the system and attempts to connect to the hard-coded C2 address.
The botnet also attempts to kill a number of processes from a hard-coded list containing other competing botnet malware families.
Processes stopping malware attempts (Unit 42)
A feature that sets V3G4 apart from most Mirai variants is that it uses four different XOR encryption keys instead of just one, making reverse engineering of the malware code and deciphering its functions more difficult.
When propagating to other devices, the botnet uses a Telnet/SSH brute force attempt that attempts to connect using standard or weak credentials. Unit 42 noted that earlier malware variants used both Telnet/SSH brute forcing and vulnerability exploitation to propagate, while later samples did not use the scanner.
Finally, compromised devices receive DDoS commands directly from the C2, including TCP, UDP, SYN, and HTTP flooding methods.
V3G4 is likely to sell DDoS services to customers who want to cause service disruptions to specific websites or online services.
However, this variant is currently not tied to a specific service.
As always, the best way to protect your devices from Mirai-like infections is to change the default password and install the latest security updates.