Hackers Exploiting 0-day RCE Flaws in the Wild to Deploy Mirai Malware

The Mirai botnet is a malicious network of infected computers, routers, and IoT devices harnessed by cybercriminals to launch large-scale DDoS attacks. 

The destructiveness of Mirai lies in its ability to compromise and control a multitude of connected devices that enables its operators to do the following illicit things:-

  • Disrupt online services
  • Cause widespread internet outages

In late October 2023, Akamai SIRT researchers observed increased activity in their honeypots targeting an uncommon TCP port. They found that hackers are actively exploiting the 0-day RCE flaws in the wild to deploy Mirai malware.

The probes, starting with a burst and peaking at 20 attempts daily, focused on authentication via a POST request and command injection

The targeted devices were unknown until November 9, 2023. When an unusual HTTP response header was found during an internet-wide scan, doubts were first expressed regarding the authenticity of the machines that were found to match the intended profile.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Hackers Exploiting 0-day RCE Flaws

Akamai SIRT observed a rise in activity targeting a rarely used TCP port, revealing a potential zero-day exploit in NVR devices. The attack involved client-side JavaScript encryption on landing pages, leading to plaintext credentials. 

Further investigation pointed to a specific NVR manufacturer, confirming the observed default credentials from their product manuals. The vendor acknowledged the zero-day and plans a fix by December 2023. 

Additionally, the campaign showed a second zero-day exploit targeting outlet-based wireless LAN routers for hotels and residential use, with details expected in December from the respective vendor.

This Mirai botnet activity, centered around the JenX variant, notably recruits IoT devices using Grand Theft Auto. The C2 domains share IP overlaps and synchronized infrastructure changes. 

Notably, IP addresses had limited C2 domain resolutions, unlike the common pattern. The JenX Mirai variant prints a unique string upon compromise, like ‘gosh that Chinese family…’ possibly linked to the dull domain names. 

One malware sample associated with this behavior was sent to the domain ‘iaxtpa[.]parody’ from the C2 IP 45.142.182[.]96.

C2 addresses link to CIDR block 5.181.80.0/24, and the domains show overlap in IP resolutions, changing at specific times. The cluster uses JenX and hailBot Mirai variants. JenX filenames are “jkxl,” and hailBot filenames are “skid.” 

ELF binary links (Source - Akamai)
ELF binary links (Source – Akamai)

Sample “skid.mpsl” echoes this string, sourced from C2 server 5.181.80[.]120, connecting to husd8uasd9[.]online. DStatCC channel mentions C2 infrastructure; the user with a deleted Telegram account references “infectedchink[.]cat” as “old ICANN domain.” 

Current domains run over OpenNIC, while the user lists proxy infra IPs and shares bot screenshots (Telnet, Vacron, ntel, UTT-Bots). PasteBin dump by “@RedDrip7” reveals C2 domains targeting Russian news sites in May 2023. Mirai’s code in October 2023 is unchanged from April 2023, indicating minimal modification.

IOCs

SHA256SUMs:

dabdd4b5a3a70c64c031126fad36a4c45feb69a45e1028d79da6b443291addb8  arm
3f3c2e779f8e3d7f2cc81536ef72d96dd1c7b7691b6e613f5f76c3d02909edd8  arm5
75ef686859010d6164bcd6a4d6cf8a590754ccc3ea45c47ace420b02649ec380  arm6
f8abf9fb17f59cbd7381aa9f5f2e1952628897cee368defd6baa6885d74f3ecc  arm7
8777f9af3564b109b43cbcf1fd1a24180f5cf424965050594ce73d754a4e1099  kdvrarm7
ac43c52b42b123e2530538273dfb12e3b70178aa1dee6d4fd5198c08bfeb4dc1  mips
a4975366f0c5b5b52fb371ff2cb034006955b3e3ae064e5700cc5365f27a1d26  mpsl
cd93264637cd3bf19b706afc19944dfb88cd27969aaf0077559e56842d9a0f87  nigga.sh
8e64de3ac6818b4271d3de5d8e4a5d166d13d12804da01ce1cdb7510d8922cc6  ok.sh
35fcc2058ae3a0af68c5ed7452e57ff286abe6ded68bf59078abd9e7b11ea90a  ppc
7cc62a1bb2db82e76183eb06e4ca84e07a78cfb71241f21212afd1e01cb308b2  sh4
29f11b5d4dbd6d06d4906b9035f5787e16f9e23134a2cc43dfc1165127c89bff  spc
cfbcbb876064c2cf671bdae61544649fa13debbbe58b72cf8c630b5bfc0649f9  x86a3b78818bbef4fd55f704c96c203765b5ab37723bc87aac6aa7ebfcc76dfa06d  mpsl
ac43c52b42b123e2530538273dfb12e3b70178aa1dee6d4fd5198c08bfeb4dc1  mips

Malware samples:

arm:      ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm5:     ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm6:     ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
arm7:     ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
kdvrarm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
mips:     ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mpsl:     ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
nigga.sh: ASCII text
ok.sh:    ASCII text
ppc:      ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
sh4:      ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
spc:      ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
x86:      ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.