In July, Trend Micro researchers found a new Mirai botnet downloader (a pluggable module), dubbed as ‘Trojan.SH.MIRAI.BOI’, that can scan for exposed devices via some most recently disclosed vulnerabilities.
The Mirai downloader module
Any Internet of Things (IoT) botnet author can add this the botnet downloader to any new malware variant, which would scan for exposed devices for intrusion and payload delivery..
- The botnet downloader was observed exploiting vulnerable BIG-IP boxes (versions earlier than 15.x) through a previously reported Remote Code Execution (RCE) vulnerability (CVE-2020-5902).
- The downloader tries to exploit several other recently disclosed vulnerabilities in randomly generated targets, such as HP LinuxKI (CVE-2020-7209), Comtrend VR-3033 (CVE-2020-10173), and Aruba ClearPass Policy Manager (CVE-2020-7115), among others.
- Similar to several other botnet variants, this downloader has several files with different extensions, hosted on a single domain, meant to attack different architectures.
Recent Mirai campaigns
Mirai is one of the most disruptive and powerful malware in the IoT threat landscape. The botnet developers have been frequently upgrading their arsenal to cause maximum damage.
- Earlier this month, a new Mirai variant (detected as IoT.Linux.MIRAI.VWISI) was spotted exploiting nine vulnerabilities (most notable - CVE-2020-10173) to target vulnerable routers, DVRs, IP cameras, and products from popular vendors.
- Last month, new campaigns of the Hoaxcalls and Mirai botnets were observed targeting a post-authentication RCE vulnerability in Symantec Secure Web Gateway 184.108.40.206.
F5 Networks has released a security advisory and recommended users to upgrade to a fixed software version to fully mitigate this vulnerability. The US Cyber Command also alerted and advised users to immediately patch the vulnerability.
The bottom line
The Mirai botnet is being upgraded by its authors on a frequent basis. This means organizations need to ensure that they patch any critical vulnerabilities that could be exploited by the botnet to prevent any intrusion.