Revived Mirai Variant Now Targets a Zero-Day in Ruijie Routers

What has happened?

• The recently exploited vulnerability in Ruijie routers is a command injection flaw that exists in the RUJIE NBR700 series routers.
• According to the research, a large number of online devices are exposed to this vulnerability. 
• Some of these identified device versions include NBR1600GDX9, RGNBR700GDX5, and more.

How does it work?

• During exploitation, a payload is used that has a URL and uses several empty variables probably to misguide security teams. When these variables are removed, it turns into a malicious function that can download and run the malware sample.
• Actors behind Mirai_ptea_Rimasuta have redesigned its encryption algorithm and C2 communication protocol; it uses the TEA algorithm and encrypts other sensitive resource info such as Tor Proxy.
• Its communication is divided into three steps: first, it establishes a connection with the proxy node, then Tor C2, and communicates with C2 via ptea's custom protocol to receive commands.

Digging deeper

• TEA key: Mirai_ptea_Rimasuta sample comes with two sets of Tiny Encryption Algorithm (TEA) keys, one for encrypting and decrypting sensitive resources, while the other is for encrypting and decrypting network traffic.
• Sandbox detection: The variant checks for the presence of a large number of sandboxes or simulators, and proceeds with infection only when its path and filename-related requirements are met.
• C2 variation: Mirai_ptea_Rimasuta uses some specific code to reach the Tor C2, which reveals that there are around six C2s used by this malware.
• Network protocol change: It encrypts the network traffic and has a hard-coded set of keys Net_teakey. The key is dynamically created by negotiating with C2s.
• Information gathering function: It monitors the TCP network connections of the infected device. Then, uploads the connection info (by data mining) that meets certain requirements to the Reporter.

Conclusion