Mirai Updates: New Variant Mukashi Targets NAS Devices, New Vulnerability Exploited in GPON Routers, UPX-Packed FBot

Additional insights by Arjun Baltazar, Earle Maui Earnshaw, Augusto II Remillano, and Jakub Urbanec

Researchers observed a number of new developments related to the internet of things (IoT) malware Mirai: A new Mirai variant named Mukashi was found attacking network-attached storage (NAS) devices, a new vulnerability in GPON routers was exploited by Mirai, and a UPX-packed Fbot variant was detected by a Trend Micro honeypot.

Mirai is a type of malware that actively searches for vulnerabilities in IoT devices. It then infects these devices, turning them into bots that will infect other devices.Mirai botnets can be used for distributed denial of service (DDoS) attacks.

Mukashi targeting network-attached storage devices

A new variant of Mirai named Mukashi is attacking NAS devices, according to researchers at Palo Alto Networks.

Mukashi takes advantage of the vulnerability CVE-2020-9054 found in Zyxel NAS devices running firmware version 5.21, allowing remote attackers to execute malicious code on the affected system. The malware uses brute force attacks through default credentials to log into Zyxel NAS products. Once successfully logged in, attackers can take control of the devices and add them to a botnet that can be used to perform distributed denial of service (DDoS) attacks.

Trend Micro™ Deep Discovery Inspector™ proactively detects against CVE-2020-9054 with DDI Rule: 4362 - “CVE-2020-9054 - ZYXEL NAS  - HTTP (REQUEST)”.

Indicators of Compromise

SHA-1 Trend Micro Predictive Machine Learning Detection
11e966c98663a630ef113c1081045c2b38a4ff96 Backdoor.Linux.MIRAI.VWISF
3df8746e3ef355197d057e4083db7be34f4be336 Backdoor.Linux.MIRAI.VWISF
42ecd022fef7ebc385030d8a52584c6fb8239fcb
Backdoor.Linux.MIRAI.VWISF
4c3debfd1f13c0c150678dfe0fe67dab6ea14fa5 Backdoor.Linux.MIRAI.VWISF
649a728c78c493bb312b22e45b2c290b3a069777 Backdoor.Linux.MIRAI.VWISF
ed6b744189b8728435843f5b08b6bb9102b0f740 Backdoor.Linux.MIRAI.VWISF
f65e9c76d2099f2f7489e0c67486afd485a4602f Backdoor.Linux.MIRAI.VWISF
592656fcee7c75602caeaa8987f8f6e6b5d1a181 Trojan.SH.MIRAI.B

URLs:

  • hxxp://45[.]84[.]196[.]75/bins/arm[.]bot
  • hxxp://45[.]84[.]196[.]75/bins/arm5[.]bot
  • hxxp://45[.]84[.]196[.]75/bins/arm6[.]bot
  • hxxp://45[.]84[.]196[.]75/bins/arm7[.]bot
  • hxxp://45[.]84[.]196[.]75/bins/mips[.]bot
  • hxxp://45[.]84[.]196[.]75/bins/mpsl[.]bot
  • hxxp://45[.]84[.]196[.]75/bins/x86[.]bot
  • hxxp://45[.]84[.]196[.]75/zi

New vulnerability in GPON routers targeted by Mirai

Trend Micro researchers observed a Mirai variant exploiting a recently discovered vulnerability in Netlink GPON routers. A successful exploit can lead to remote code execution that allows attackers to take over devices.

The sample uses simple substitution cipher to obfuscate its C&C. The alphabet used for the cipher is XOR-encrypted using the XOR key 0x59.

Trend Micro™ Deep Discovery Inspector™ proactively defends against this exploit through this rule: DDI Rule 4374: “NETLINK GPON RCE EXPLOIT - HTTP(Request)”

Indicators of compromise

SHA-1 Trend Micro Predictive Machine Learning Detection
40166d2b24dde4a778528749256b9db97acce087 Backdoor.Linux.GAFGYT.AOI
bc454b7eb82975c9fce4e62ca1d7ba8bc7f33c37 Backdoor.Linux.GAFGYT.AOI
3e4eea50fe85c7fb119b69e6e7a09d47541ac545
Backdoor.Linux.MIRAI.VWISG
c41cc0c052de6e8d174151dbb54d98d22ba4d4b9 Backdoor.Linux.MIRAI.VWISG
df92e4a9f62dede19c25b73d78644c1fd5a91956 Backdoor.Linux.MIRAI.VWISG
f8005ea1a6652693822a58711ab257c7ea5956aa Backdoor.Linux.MIRAI.VWISG

URLs:

  • 194[.]180[.]224[.]249/muck.sh
  • 194[.]180[.]224[.]249/rispek.arm4
  • 194[.]180[.]224[.]249/rispek.arm7
  • 194[.]180[.]224[.]249/rispek.arm5
  • 194[.]180[.]224[.]249/rispek.mips
  • 194[.]180[.]224[.]249/rispek.mipsel
  • 194[.]180[.]224[.]249/rispek.x86_64

UPX-Packed FBot Variant from Trend Micro Honeypot

Trend Micro researchers found a sample for a variant of FBot (an offshoot of Mirai) that can enable remote code execution. The sample is packed via UPX:

  • 78c9b0ba6955c05a339bf169066e0ef392c81c2f (Possible UPX at: 179 with UPX HEX: 08:5a:65:08 translated as:', '\x08Ze\x08') 

Some of the strings are encrypted using XOR cipher with 0x22 key. The sample contains the HEX binaries, possibly for downloaders for different CPU architectures:

  • 3ef538fc423177583cddeaa682cd570b332f0629: ELF 32-bit LSB executable, ARM, version 1 (ARM)
  • 666c60f48f2bb74877e9c56b6845dac4ab63c57b: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
  • a9a9c1835d1a38f8473101f2d034da973250d0bf: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
  • df709104bc569cbe9dae3895cf6148c388af2138: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
  • e23835bdaffda212c5f7b127ac7dc33a530401fd: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

Trend Micro™ Deep Discovery Inspector™ proactively detects this sample via this rule:

  • DDI RULE: 2578 "CVE-2017-17215 - Remote Code Execution - HTTP (Request)"
  • DDI RULE: 2385 "SOAP RCE EXPLOIT - HTTP (Request)"
  • DDI RULE: 2623 "Remote Code Execution - HTTP (Request) - Variant 2"
  • DDI RULE: 2544 "JAWS Remote Code Execution Exploit - HTTP (Request)"

Indicator of Compromise

SHA-256 Trend Micro Predictive Machine Learning Detection
93d05874b0ce0964b9e6808845b209895c5fbd10ca0b24cb23601775a61cbd9b IoT.Linux.MIRAI.DLEX

Thwarting Mirai Malware

Enterprises and users can protect their IoT devices from Mirai by following these recommendations:

  • Properly configure security settings, and change default passwords
  • Monitor network traffic to detect any suspicious activity
  • Deploy patches and updates to defend against old and new threats

[Read:  Securing Your Routers Against Mirai and Other Home Network Attacks]

Users can also benefit from security solutions that can provide detection, in-depth analysis, and proactive response to threats.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.