- Noticias de seguridad
- Internet of Things
- Mirai Updates: New Variant Mukashi Targets NAS Devices, New Vulnerability Exploited in GPON Routers, UPX-Packed FBot
Additional insights by Arjun Baltazar, Earle Maui Earnshaw, Augusto II Remillano, and Jakub Urbanec
Researchers observed a number of new developments related to the internet of things (IoT) malware Mirai: A new Mirai variant named Mukashi was found attacking network-attached storage (NAS) devices, a new vulnerability in GPON routers was exploited by Mirai, and a UPX-packed Fbot variant was detected by a Trend Micro honeypot.
Mirai is a type of malware that actively searches for vulnerabilities in IoT devices. It then infects these devices, turning them into bots that will infect other devices.Mirai botnets can be used for distributed denial of service (DDoS) attacks.
A new variant of Mirai named Mukashi is attacking NAS devices, according to researchers at Palo Alto Networks.
Mukashi takes advantage of the vulnerability CVE-2020-9054 found in Zyxel NAS devices running firmware version 5.21, allowing remote attackers to execute malicious code on the affected system. The malware uses brute force attacks through default credentials to log into Zyxel NAS products. Once successfully logged in, attackers can take control of the devices and add them to a botnet that can be used to perform distributed denial of service (DDoS) attacks.
Trend Micro™ Deep Discovery Inspector™ proactively detects against CVE-2020-9054 with DDI Rule: 4362 - “CVE-2020-9054 - ZYXEL NAS - HTTP (REQUEST)”.
SHA-1 | Trend Micro Predictive Machine Learning Detection |
11e966c98663a630ef113c1081045c2b38a4ff96 | Backdoor.Linux.MIRAI.VWISF |
3df8746e3ef355197d057e4083db7be34f4be336 | Backdoor.Linux.MIRAI.VWISF |
42ecd022fef7ebc385030d8a52584c6fb8239fcb |
Backdoor.Linux.MIRAI.VWISF |
4c3debfd1f13c0c150678dfe0fe67dab6ea14fa5 | Backdoor.Linux.MIRAI.VWISF |
649a728c78c493bb312b22e45b2c290b3a069777 | Backdoor.Linux.MIRAI.VWISF |
ed6b744189b8728435843f5b08b6bb9102b0f740 | Backdoor.Linux.MIRAI.VWISF |
f65e9c76d2099f2f7489e0c67486afd485a4602f | Backdoor.Linux.MIRAI.VWISF |
592656fcee7c75602caeaa8987f8f6e6b5d1a181 | Trojan.SH.MIRAI.B |
Trend Micro researchers observed a Mirai variant exploiting a recently discovered vulnerability in Netlink GPON routers. A successful exploit can lead to remote code execution that allows attackers to take over devices.
The sample uses simple substitution cipher to obfuscate its C&C. The alphabet used for the cipher is XOR-encrypted using the XOR key 0x59.
Trend Micro™ Deep Discovery Inspector™ proactively defends against this exploit through this rule: DDI Rule 4374: “NETLINK GPON RCE EXPLOIT - HTTP(Request)”
SHA-1 | Trend Micro Predictive Machine Learning Detection |
40166d2b24dde4a778528749256b9db97acce087 | Backdoor.Linux.GAFGYT.AOI |
bc454b7eb82975c9fce4e62ca1d7ba8bc7f33c37 | Backdoor.Linux.GAFGYT.AOI |
3e4eea50fe85c7fb119b69e6e7a09d47541ac545 |
Backdoor.Linux.MIRAI.VWISG |
c41cc0c052de6e8d174151dbb54d98d22ba4d4b9 | Backdoor.Linux.MIRAI.VWISG |
df92e4a9f62dede19c25b73d78644c1fd5a91956 | Backdoor.Linux.MIRAI.VWISG |
f8005ea1a6652693822a58711ab257c7ea5956aa | Backdoor.Linux.MIRAI.VWISG |
Trend Micro researchers found a sample for a variant of FBot (an offshoot of Mirai) that can enable remote code execution. The sample is packed via UPX:
Some of the strings are encrypted using XOR cipher with 0x22 key. The sample contains the HEX binaries, possibly for downloaders for different CPU architectures:
Trend Micro™ Deep Discovery Inspector™ proactively detects this sample via this rule:
SHA-256 | Trend Micro Predictive Machine Learning Detection |
93d05874b0ce0964b9e6808845b209895c5fbd10ca0b24cb23601775a61cbd9b | IoT.Linux.MIRAI.DLEX |
Enterprises and users can protect their IoT devices from Mirai by following these recommendations:
[Read: Securing Your Routers Against Mirai and Other Home Network Attacks]
Users can also benefit from security solutions that can provide detection, in-depth analysis, and proactive response to threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.