Researchers found a new Mirai variant in the wild targeting smart signage TV and wireless presentation systems commonly used by businesses. Analysis revealed that the variant uses old and new exploits, and that the cybercriminals behind this botnet have also expanded its built-in list of credentials to brute force into internet of things (IoT) devices and networks using default passwords.
[Read: With Mirai comes Miori: IoT botnet delivered via ThinkPHP remote code execution exploit]
The new malware variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIPI and Backdoor.Linux.BASHLITE.AME) was detected in early January of 2019 from a compromised website in Colombia tailoring to security and alarm integration, widening the possible impact to small and big businesses alike according to Palo Alto’s report. Out of the 27 exploits that this Mirai variant uses – previously used to target embedded devices such as IP cameras, network storage devices, and routers via Apache Struts – 11 are new to the malware family, and specifically targets WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs.
Much like prior campaigns, the new botnet variant is capable of scanning for exposed Telnet ports and using default access credentials with infected devices. It is also capable of scanning for specific devices and unpatched systems, and using one of the exploits in its list to attack and infect. It uses port 3933 to receive commands from the command and control (C&C) server, such as HTTP Flood DDoS attacks.
[Read: Securing your routers against Mirai and other home network attacks]
Trend Micro also found the last Mirai variant, Yowai, in January, and cybercriminals are expected to continue using and developing Mirai to exploit the increasing number of IoT devices in the market. Given the larger and more damaging effects of malware that infects business systems, IoT device users are advised to immediately change their default credentials to lock out bad actors using this particular method. Systems should be patched immediately using available updates released by legitimate vendors to remove exploitable vulnerabilities.
Trend Micro solutions
Trend Micro™ Deep Discovery™
- 2539 AVTECH Authentication ByPass Exploit- HTTP (Request)
- 2713 AVTECH Command Injection Exploit - HTTP (Request)
- 2499 CVE-2016-10174 - NETGEAR Remote Code Execution - HTTP (Request)
- 2806 CVE-2016-1555 - Netgear Devices - Unauthenticated Remote Code Execution - HTTP (Request)
- 2755 CVE-2017-6884 Zyxel OS Command Injection Exploit - HTTP (Request)
- 2639 CVE-2018-10562 - GPON Remote Code Execution - HTTP (Request)
- 2544 JAWS Remote Code Execution Exploit - HTTP (Request)
- 2550 DLINK Command Injection Exploit - HTTP (Request)
- 2707 DLINK Command Injection Exploit - HTTP (Request) - Variant 2
- 2754 EnGenius EnShare Remote Code Execution Exploit - HTTP (Request)
- 2692 LINKSYS Unauthenticated Remote Code Execution Exploit - HTTP (Request)
- 2548 LINKSYS Remote Code Execution - HTTP (Request)
- 2452 Wget Commandline Injection
- 2536 Netgear ReadyNAS RCE Exploit - HTTP (Request)
- 2778 ZTE ZXV10 Remote Code Execution Exploit - HTTP (Request)
Trend Micro Smart Home Network™
- 1057404 WEB D-Link DIR-645, DIR-815 diagnostic.php Command Execution (BID-58938)
- 1132318 WEB D-Link DCS-930L Authenticated Remote Command Execution
- 1133374 WEB Zyxel P660HN-T v1 Router Unauthenticated Remote Command Execution
- 1133375 WEB Zyxel P660HN-T v2 Router Unauthenticated Remote Command Execution
- 1133643 WEB WePresent WiPG-1000 Command Injection
- 1133802 WEB Netgear NETGEAR DGN2200 dnslookup.cgi Remote Command Injection (CVE-2017-6334)
- 1135139 WEB Netgear Devices Unauthenticated Remote Command Execution (CVE-2016-1555)
- 1133148 MALWARE Suspicious IoT Worm TELNET Activity -1
- 1133063 MALWARE MIRAI TELNET Activity
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.