Latest Mirai variant targets routers and other IoT devices using 13 exploits
- The malware is dubbed as Backdoor.Linux.MIRAI.VWIPT and includes both backdoor and DDoS capabilities.
- The malware variant uses four different URLs to complete its infection process.
A new variant of Mirai botnet has been found using a total of 13 different exploits to target routers and other IoT devices. The malware is dubbed as Backdoor.Linux.MIRAI.VWIPT and includes both backdoor and DDoS capabilities.
What’s the matter?
According to the researchers from TrendMicro, the new Mirai variant uses three XOR keys to encrypt data. The most important aspect of this new malware variant is that it includes a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks.
Researchers also note that Backdoor.Linux.MIRAI.VWIPT uses four different URLs to complete its infection process. The four URLs are:
While the first URL is used as the command-and-control link, the rest serve as links for downloading and dropping malicious payloads.
About the exploits
The range of 13 exploits that are used by the variant take advantage of flaws in routers, surveillance products, and other devices.
Three out of 13 exploits scan specific vulnerabilities found in the web development format ThinkPHP and certain Huawei & Linksys routers. The remaining 10 vulnerabilities used by the variant are found inside ‘exploit_worker()’.
The 13 exploits used by the new Mirai variant are:
- Vacron NVR CVE
- CVE-2018-10561, CVE-2018-10562
- UPnP SOAP TelnetD command execution
- Eir WAN side remote command injection
- Netgear Setup.cgi RCE
- MVPower DVR shell command execution
- Linksys RCE
- ThinkPHP 5.0.23/5.1.31 RCE
11 of these vulnerabilities have already been exploited by the Mirai variant Omni. Few of these flaws have also been abused by Gafgyt variant Hakai and Mirai variant Yowai.