Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices

mirai botnet returns

A new Mirai variant is targeting known flaws in D-Link, Netgear and SonicWall devices, as well as newly-discovered flaws in unknown IoT devices.

A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.

Since Feb. 16, the new variant has been targeting six known vulnerabilities – and three previously unknown ones – in order to infect systems and add them to a botnet. It’s only the latest variant of Mirai to come to light, years after source code for the malware was released in October 2016.

“The attacks are still ongoing at the time of this writing,” said researchers with Palo Alto Networks’ Unit 42 team on Monday. “Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.”

Initial Exploit: New and Old Flaws

The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 wireless router exploit (CVE-2019-19356 ).

Patches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.

For instance, “the VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,” a SonicWall spokesperson told Threatpost. “It is not viable against any properly patched SonicWall appliances.”

The botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.

“We cannot say with certainty what the targeted devices are for the unidentified exploits,” Zhibin Zhang, principal researcher for Unit 42, told Threatpost. “However, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.”

The exploits themselves include two RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.

The latter has “been observed in the past being used by [the] Moobot [botnet], however the exact target is unknown,” researchers noted. Threatpost has reached out to researchers for further information on these unknown targets.

Mirai Botnet: A Set of Binaries

After initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware’s infrastructure. The shell script then downloads several Mirai binaries and executes them, one-by-one.

One such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs and startup scripts); creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports (to make remote access to the affected system more challenging for admins); and schedules a job that aims to rerun the lolol.sh script every hour (for persistence). Of note, this latter process is flawed, said researchers, as the cron configuration is incorrect.

Another binary (install.sh) downloads various files and packages – including GoLang v1.9.4, the “nbrute” binaries (that brute-force various credentials) and the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by “nbrute”).

The final binary is called dark.[arch], and is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute-forcing SSH connections using hardcoded credentials in the binary.

Mirai Variants Continue to Pop Up

The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.

Last year, a Mirai variant was found targeting Zyxel network-attached storage (NAS) devices using a critical vulnerability that was only recently discovered, according to security researchers. In 2019, a variant of the botnet was found sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems. And, a 2018 variant was used to launch a series of DDoS campaigns against financial-sector businesses.

Researchers said that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.

“The IoT realm remains an easily accessible target for attackers,” according to Unit 42’s report. “Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.”

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

Suggested articles