A variant of the Mirai botnet exploits four different device vulnerabilities to add popular Linux-based servers and Internet of Things (IoT) devices to a botnet capable of web-based attacks, including distributed denial-of-service (DDoS) attacks middle.
A team at Palo Alto Networks' Unit 42 observed this variant, dubbed IZ1H9, being used in an April 10 attack exploiting these vulnerabilities: Two Command Injection Vulnerabilities - CVE-2023-27076, affecting Tenda G103 device, and CVE-2023-26801, affecting LB-Link devices; two remote code execution (RCE) vulnerabilities, CVE-2023-26802, affecting DCN DCBI-Netlog-LAB, and another CVE that does not affect Zyxel devices.
While the IZ1H9 variant appears to be primarily targeting DDoS attacks, the impact of the infection could be more severe, as the vulnerabilities eventually lead to RCE, the researchers said.
The fact that RCE is high on the list of things enterprises don't want to experience means that vulnerable devices are being easily and completely taken over by attackers, often for a long time and eventually becoming a persistent threat.
No business wants to use a compromised IoT device in their network to attack others, or even themselves, and be ignorant of the activity.
Since November 2021, Unit 42 researchers have observed IZ1H9 being used by one threat actor or the same group of actors in more than one attack, although the malware has been present in some form since 2018.
They attribute multiple recent attacks to the same actor, which is supported by several factors, including the nearly identical malware shell script downloader used in the incidents. Additionally, botnet samples were found from attacks using nearly identical functionality, sharing XOR decryption keys and the same infrastructure.
IZ1H9 Cyber Attack and Malware Analysis
During the April 10 attack, researchers observed unusual traffic from their threat hunting systems when attackers attempted to download and execute the shell script downloader lb.sh from IP 163.123.143.126.
If executed, the shell script downloader will first delete logs to hide its tracks, and then deploy and execute multiple bot clients for different Linux architectures, the researchers said.
In the final step of the attack, the shell script downloader modifies the device's iptable rules to block network connections from multiple ports, including SSH, telnet, and HTTP, so that victims cannot remotely connect and recover the infected device.
IZ1H9 first checks the network portion of the infected device's IP address to avoid executing a series of IP blocks, including government networks, internet providers, and large tech companies.
This behavior indicates that the threat group is interested. This suggests that botmasters want to avoid these networks so they can continue to operate long-term and remain under the watchful eyes of those who might be focused on blocking their activities.
The botnet client prints the word "Darknet" to the console to make it visible, and includes a feature that ensures the device is only running one instance of the malware. If the botnet process already exists, the botnet client will terminate the current process and start a new one.
The botnet client also contains a list of process names belonging to other Mirai variants and other botnet malware families, checking the names of processes running on the infected host to terminate them.
Mitigating Mirai Variant Botnet Threat
Notoriously, Mirai has spawned many variants since its source code leak in 2016, including one that can exploit nine vulnerabilities in various devices, and another, BotenaGo, that can exploit as many as 30.
To protect against the Mirai variant, anyone with vulnerable devices in their infrastructure is advised to update them with the latest version of the software, applying any available patches where possible.
Organizations can also protect their networks with advanced firewall and threat protection that leverages machine learning to detect exploits in real time, as well as advanced URL filtering and DNS security to block command-and-control domains and malware-hosting URLs.
Blocking ports 80 (HTTP), 22 (SSH), and 23 (TELNET) on public-facing devices should be a smart move to mitigate such attacks.
Never leave one of these ports open on any device, even if they are completely inaccessible from the Internet, when organizations make them accessible, they lead directly to a botnet problem.
A major problem with remediating this situation is that IoT device makers often open these ports as soon as the device is offline, which is "total negligence."
In fact, there should be an international governing body "to hold these IoT manufacturers accountable for their devices being infected by botnets and then used to attack other people.
It seems like some kind of punishment is the only way for manufacturers to tighten the security of the devices they make and sell to other people.