Cyber-security researchers has just released the discovery of a new Mirai Malware variant that deploys a new set of 13 malware exploits that enable it to attack more routers as well as other devices with success. While these exploits were individually used in Mirai malware campaigns before, having them all bundled in one version is a first.
Other typical characteristics include DDoS and backdoor capabilities that we have seen before on Mirai, so we’re talking about a variant that is most powerful and dangerous than ever before. The cyber-security researchers discovered the new Mirai through their honeypots, so it is already out there in the wild. These malwares were also proven capable of hacking into security-protected hardware.
First, the new variant scans the infected system for specific vulnerabilities in ThinkPHP, Huawei, or Linksys routers. The list of the 13 exploits also includes DVRs, NVRs, D-Link devices, and Netgear devices. The use of three XOR keys to encrypt data is still the preferred way to go for the new Mirai, while the URLs that are used are given specific roles such as “command and control”, “downloader”, and “dropper” links.
Apart from managing to spread through the 13 vulnerabilities that constitute its arsenal, the new Mirai also incorporates brute-force capabilities that can be used to allow the malware to gain access to network devices as admin.
The below list is the Unlucky 13 Mirai Variants
- Vacron NVR CVE
- CVE-2018-10561, CVE-2018-10562
- CVE-2015-2051
- CVE-2014-8361
- CVE-2016-6277
- CVE-2017-17215
- UPnP SOAP TelnetD command execution
- Eir WAN side remote command injection
- Netgear Setup.cgi RCE
- MVPower DVR shell command execution
- Huawei HG RCE
- Linksys RCE
- ThinkPHP 5.0.23/5.1.31 RCE
Back in March, we saw how Mirai was evolving to target enterprise environment devices such as IoTs, smart TVs, and presentation systems. By compromising these devices, Mirai managed to find its way deeper inside the corporate networks, propagating itself from then on to hack & infiltrate and take over more valuable individual targets. With this latest Mirai variant, it becomes evident that the malware is actively developed and this is not likely to stop any time soon.
If you want to stay protected against these types of cyber-attacks, you should update your router firmware as soon as patches become available, as the exploits that are used by Mirai are known and have already been fixed.