New Mirai DDoS Malware Variant Infects Linux Devices

New Mirai DDoS Malware Variant Infects Linux Devices

SUMMARY
13 Linux-based device vulnerabilities are being targeted by “V3G4”, a Mirai malware variant used to conduct Distributed Denial of Service attacks (DDoS). V3G4 is spread by brute-forcing default or weak telnet/SSH credentials and hardcoded vulnerabilities to execute remote code on the target devices. Once infected, the device is added to the botnet.

TECHNICAL DETAILS
Palo Alto Networks’ Unit 42 found that V3G4 primarily targets servers, and internet-connected IoT devices like IP cameras. Infected devices are used by threat actors as part of their botnet network to execute DDoS attacks. Their attack techniques do include propagation within a network and do not stop at an initial infection.

EXPLOITED VULNERABILITIES

• CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
• CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
• CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
• CVE-2019-15107: Webmin Command Injection Vulnerability
• CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
• CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
• CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
• CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
• CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability
• Mitel AWC Remote Command Execution Vulnerability
• Gitorious Remote Command Execution Vulnerability
• Spree Commerce Arbitrary Command Execution Vulnerability
• FLIR Thermal Camera Remote Command Execution Vulnerability

The Mirai dropper is downloaded by the malware via the wget and curl utilities. It also terminates every process on the infected device. After creating a table of telnet/SSH login credentials, it starts brute-forcing network devices in an effort to spread within the host network.

INDICATORS OF COMPROMISE (IoCs)
Malware Host IP addresses:
• 176.123.9[.]238
• 198.98.49[.]79
• 104.244.72[.]64

Hash Values – Shell Script Downloader:
• 0837de91aa6bd52ef79d744daba4238a5a48a79eb91cb1a727da3e97d5b36329
• c32f8df3cb019e83e0ac49ab0462c59ec70733c3d516ade011727408751c9d42
• f295904d966889afb0f6b3625e504a1420a978434e2b6a9e9b85b688a44593fa

Has Values – V3G4:
• 7bc99c87a1e0582b5f15f40141226862fbe726b496e1e77c7f95993e8e945733
• 88f7b9a8c4f9bb28582c485549b328d6123e8aea33009ce7657f7fc0ef829e03
• 64545e94daafba191669333e1dd0c6e1190df47e0742bd515911cce0cdbd4fd1
• 69bb44736817dabe88e3014c6207ba702f644fb43f6feaec23091af0b5224bc6
• eaa387fcc12f2d8a7d42f12d27e7dccb4f3e11492a7d3a3a1ce830a11b539d28
• a987d1e113b858d21596bb2dfffe79721d5149bfa782e693aafc0cf47aa8c6dc
• afca95eb143e0180f1594517a44b2d226a2e44de5cbd2cd49b8c6cdb2a0b61ee
• b651f9320f07d7eade9af523297b4bcfd0e0af187272e368e889c988a55ed78e
• 6229041985c466c131e48b9ba0d1bb80bdb7556c941ee84aa461fe2efbf1e853
• 1dc4777dac6dc4e8c650241e211311c4a418a35ebded72fcdd6bcb965ccf918b
• 3e69e8ed741ab39b0914f7e95bf13b2f0ae9f3c1227dcffdea3369e03e8bb792
• b2e4ee94783062658ddf2c41e9acafb401d0f93e3848c027383a5ca19289b786
• dd91943b0d453ace3b19779c88da19c9a386dd3e9d2322c85a4cdcf84a22c663
• a93d999dc0515066c5c2a261f1be47233b358889d0594c14409309818d86347d
• 31926da5ca004a11c1f46947edb220afe3a53f81cf245b3afae7ea1abaec7c38
• eed4690f6e4d92b511fcde9a712b1a8405c5333e0ad78a4c676a64b22412e149
• 210f3f1ffd2ec66a5076a7fea5d83caa8bbcdb0f3bc3bd030c77eded6f4b5d90
• 73cc00acc478bf09658a679a4689f34598fe6e92086efe82900242f3cc5b7aec
• 1218da43a62da76927484bca73a3eee53425c54625147f8d01149bcef2f09d1e
• 2944db28e4505fc439599dae15b10bf57b7cf6c2597f618f41b99bfc65443c61
• 4bffc171c0748cc9e3398b1ce8135b125f54f46752768c981c45d3390e8359a1
• b3a17934f6f72941b9a60097ab09228d873a2f8737ee0ea93b08e5f1cc3916d1
• 916e00391279b014e53d73c2216a84bd528e18f1f633ba0101288aa963f77c5b
• 7dea8dac3f455f3a57fecfa5a047439126556858c239e73cd8feec2dc13bae2c
• a10ce475f64f3821ab32c88f6b013effd40843dd575ceaab46a57f134c2478b6
• d9b5199f36fc416d8a87d798926e0d9dcbb2fe97610cf08d6887dae1355e9439
• feda096ed8ddf4206365d326b3b7cb2d57ca1e89999b0b1da80fb9658dff6e44
• 63ACD589A53BDEC49C624F3CB2FC8319218DF721F486E2F15F3C07ABED97AAE6
• 1cf3879d9e93d1ff30ce5ec0f64ff15b1db7d8237160c83efed688d800e5ef12
• c5be50880e2b5a8a8d43a5f1fd6f5d36fc665ab9b4031a9b6a4d52222004c2c1
• 9b7f36cabbb90dfe9cd75f12c01fb64766dd1ec0f4247dbf8f4477dd64407fbf
• 7d9cdf3afb1d52f49d82b1ffe28a3da08c6aeeaa8c5047ba37c73802d2cd9ec2
• 9a0d39265b53e1959df49dbc8727ad344abc12a8bc0bd8d8b76f8b150525dca6
• d00fbfc439cb9c5c850690134b0d51f262021c0d04d9934df464980c346c1dc5
• b4f23a88de9b566ce980a8188674319039d2fbe13b049859f8fe4821c92f9200
• 3f3fb70e16d65f5f4b21777b87c9aae6072022c3dfbefd177f37c8aef4a6aeee
• 67379740ed15e8da8604cc1f0ea715c8641674de66e553c461b3ae782a5d0cbe
• ab3d61a76197003822252124e89987d061d6a4a33b9891cea778d3708cd50447
• 6f654198e8efd5aff1c7a903353967d0e96aeff0402cb0a79fabbc10d18c63d2
• c288c200cf7bbebe7a81fd42ca1bd4c6cb6080f28f2cec297a0d3e6aff7876fe

RECOMMENDATIONS
• Experts suggest adhering to recommended practices, such as keeping the software and firmware updated, using strong passwords, and disabling services and protocols that are not in use, to safeguard your IoT devices from V3G4 and other botnet infections.
• Network segmentation can help keep the malware in check and prevent an infection from propagating widely.