Mirai Updates: New Variant Mukashi Targets NAS Devices, New Vulnerability Exploited in GPON Routers, UPX-Packed FBot

Additional insights by Arjun Baltazar, Earle Maui Earnshaw, Augusto II Remillano, and Jakub Urbanec

Researchers observed a number of new developments related to the internet of things (IoT) malware Mirai: A new Mirai variant named Mukashi was found attacking network-attached storage (NAS) devices, a new vulnerability in GPON routers was exploited by Mirai, and a UPX-packed Fbot variant was detected by a Trend Micro honeypot.

Mirai is a type of malware that actively searches for vulnerabilities in IoT devices. It then infects these devices, turning them into bots that will infect other devices.Mirai botnets can be used for distributed denial of service (DDoS) attacks.

Mukashi targeting network-attached storage devices

A new variant of Mirai named Mukashi is attacking NAS devices, according to researchers at Palo Alto Networks.

Mukashi takes advantage of the vulnerability CVE-2020-9054 found in Zyxel NAS devices running firmware version 5.21, allowing remote attackers to execute malicious code on the affected system. The malware uses brute force attacks through default credentials to log into Zyxel NAS products. Once successfully logged in, attackers can take control of the devices and add them to a botnet that can be used to perform distributed denial of service (DDoS) attacks.

Trend Micro™ Deep Discovery Inspector™ proactively detects against CVE-2020-9054 with DDI Rule: 4362 - “CVE-2020-9054 - ZYXEL NAS  - HTTP (REQUEST)”.

Indicators of Compromise

URLs:

• hxxp://45[.]84[.]196[.]75/bins/arm[.]bot
• hxxp://45[.]84[.]196[.]75/bins/arm5[.]bot
• hxxp://45[.]84[.]196[.]75/bins/arm6[.]bot
• hxxp://45[.]84[.]196[.]75/bins/arm7[.]bot
• hxxp://45[.]84[.]196[.]75/bins/mips[.]bot
• hxxp://45[.]84[.]196[.]75/bins/mpsl[.]bot
• hxxp://45[.]84[.]196[.]75/bins/x86[.]bot
• hxxp://45[.]84[.]196[.]75/zi

New vulnerability in GPON routers targeted by Mirai

Trend Micro researchers observed a Mirai variant exploiting a recently discovered vulnerability in Netlink GPON routers. A successful exploit can lead to remote code execution that allows attackers to take over devices.

The sample uses simple substitution cipher to obfuscate its C&C. The alphabet used for the cipher is XOR-encrypted using the XOR key 0x59.

Trend Micro™ Deep Discovery Inspector™ proactively defends against this exploit through this rule: DDI Rule 4374: “NETLINK GPON RCE EXPLOIT - HTTP(Request)”

Indicators of compromise

URLs:

• 194[.]180[.]224[.]249/muck.sh
• 194[.]180[.]224[.]249/rispek.arm4
• 194[.]180[.]224[.]249/rispek.arm7
• 194[.]180[.]224[.]249/rispek.arm5
• 194[.]180[.]224[.]249/rispek.mips
• 194[.]180[.]224[.]249/rispek.mipsel
• 194[.]180[.]224[.]249/rispek.x86_64

UPX-Packed FBot Variant from Trend Micro Honeypot

Trend Micro researchers found a sample for a variant of FBot (an offshoot of Mirai) that can enable remote code execution. The sample is packed via UPX:

• 78c9b0ba6955c05a339bf169066e0ef392c81c2f (Possible UPX at: 179 with UPX HEX: 08:5a:65:08 translated as:', '\x08Ze\x08') 

Some of the strings are encrypted using XOR cipher with 0x22 key. The sample contains the HEX binaries, possibly for downloaders for different CPU architectures:

• 3ef538fc423177583cddeaa682cd570b332f0629: ELF 32-bit LSB executable, ARM, version 1 (ARM)
• 666c60f48f2bb74877e9c56b6845dac4ab63c57b: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
• a9a9c1835d1a38f8473101f2d034da973250d0bf: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
• df709104bc569cbe9dae3895cf6148c388af2138: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
• e23835bdaffda212c5f7b127ac7dc33a530401fd: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

Trend Micro™ Deep Discovery Inspector™ proactively detects this sample via this rule:

• DDI RULE: 2578 "CVE-2017-17215 - Remote Code Execution - HTTP (Request)"
• DDI RULE: 2385 "SOAP RCE EXPLOIT - HTTP (Request)"
• DDI RULE: 2623 "Remote Code Execution - HTTP (Request) - Variant 2"
• DDI RULE: 2544 "JAWS Remote Code Execution Exploit - HTTP (Request)"

Indicator of Compromise

Thwarting Mirai Malware

Enterprises and users can protect their IoT devices from Mirai by following these recommendations:

• Properly configure security settings, and change default passwords
• Monitor network traffic to detect any suspicious activity
• Deploy patches and updates to defend against old and new threats

[Read:  Securing Your Routers Against Mirai and Other Home Network Attacks]

Users can also benefit from security solutions that can provide detection, in-depth analysis, and proactive response to threats.