Additional insights by Arjun Baltazar, Earle Maui Earnshaw, Augusto II Remillano, and Jakub Urbanec
Researchers observed a number of new developments related to the internet of things (IoT) malware Mirai: A new Mirai variant named Mukashi was found attacking network-attached storage (NAS) devices, a new vulnerability in GPON routers was exploited by Mirai, and a UPX-packed Fbot variant was detected by a Trend Micro honeypot.
Mirai is a type of malware that actively searches for vulnerabilities in IoT devices. It then infects these devices, turning them into bots that will infect other devices.Mirai botnets can be used for distributed denial of service (DDoS) attacks.
A new variant of Mirai named Mukashi is attacking NAS devices, according to researchers at Palo Alto Networks.
Mukashi takes advantage of the vulnerability CVE-2020-9054 found in Zyxel NAS devices running firmware version 5.21, allowing remote attackers to execute malicious code on the affected system. The malware uses brute force attacks through default credentials to log into Zyxel NAS products. Once successfully logged in, attackers can take control of the devices and add them to a botnet that can be used to perform distributed denial of service (DDoS) attacks.
New vulnerability in GPON routers targeted by Mirai
Trend Micro researchers observed a Mirai variant exploiting a recently discovered vulnerability in Netlink GPON routers. A successful exploit can lead to remote code execution that allows attackers to take over devices.
The sample uses simple substitution cipher to obfuscate its C&C. The alphabet used for the cipher is XOR-encrypted using the XOR key 0x59.