IoT.Linux.MIRAI.DLEV

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Performs various DDOS attacks

It connects to the following websites to send and receive information:

• http://faygox.{BLOCKED}s.org

Other Details

This Backdoor does the following:

• It uses the following credentials to try to login to other devices:
  • taZz@23495859
  • tsgoingon
  • solokey
  • default
  • guest
  • telnetadmin
  • 12345
  • 123456
  • 54321
  • 88888888
  • 20080826
  • 666666
  • 1001chin
  • xc3511
  • jvbzd
  • hg2x0
  • Zte521
  • grouter
  • telnet
  • oelinux123
  • tl789
  • GM8182
  • hunt5759
  • telecoadmin
  • twe8ehome
  • nmgx_wapia
  • private
  • abc123
  • ROOT500
  • ahetzip8
  • ascend
  • blender
  • cat1029
  • changeme
  • iDirect
  • nflection
  • ipcam_rt5350
  • swsbzkgn
  • juantech
  • password
  • svgodie
  • t0talc0ntr0l4!
  • zhongxing
  • zsun1188
  • xmhdipc
  • klv123
  • hi3518
  • 7ujMko0vizxv
  • 7ujMko0admin
  • dreambox
  • system
  • realtek
  • 00000000
  • 12341234
  • huigu309
  • win1dows
  • antslq
• It may spread to other devices by taking advantage of the following vulnerabilities:
  • Huawei Router HG532 - Arbitrary Command Execution (CVE-2017-17215)
  • GPON Routers - Authentication Bypass / Command Injection (CVE-2018-10561)
  • ThinkPHP vulnerability
• It displays the following string once executed in the command line:
  • LuckyGhost