A new variant of the infamous Mirai botnet has been found to be exploiting several vulnerabilities found in Linux-based IoT devices. The as-of-yet unnamed variant has been using CVE-2023-27076, CVE-2023-26801, and CVE-2023-26802 to target devices such as Tenda, LB-Link and Digital China Networks. Researchers from Palo Alto Networks’ Unit 42 discovered the botnet after noticing unusual traffic on April 1, 2023.
Once the botnet had infiltrated a device, it was able to download and execute a shell script downloader LB.sh from IP 163.123.143[.]126. The threat then ran quietly in the background, with the primary goal of deleting the logs of its activity and quietly launching attacks against other targets on the web. Researchers noted that the last step taken by the botnet was to block network connections from ports including SSH, telnet, and HTTP, which means that the system was left unable to recover or connect to other devices remotely.
The specific variant of the Mirai botnet that was discovered in this instance is known by the alias ‘IZ1H9’. Researchers first detected the variant back in August 2018, and have since uncovered that it is one of the most used Mirai variants. Once triggered, IZ1H9 looks for infected IP addresses to launch attacks against, and actively avoids targeting large technology corporations, government networks, and internet providers.
To activate the malware, IZ1H9 would connect with the command-and-control server, which was found to be 195.133.40[.]141. The botnet would then download several other malicious programs and infections to aid in its efforts. Researchers found that the shell script downloader from 212.192.241[.]72 would download other botnet clients from 212.192.241[.]87/bins/, which would then contact the C2 domain dotheneedfull[.]club.
Three main vulnerabilities existed in the vendor products that the botnet exploited. These are CVE-2023-27076, CVE-2023-26801, and CVE-2023-26802. The first of these vulnerabilities is a command injection bug caused by the failure to properly sanitize the value of the language parameter found in the cgi-bin/luci interface of Tenda G103. CVE-2023-26801 is another command injection bug, which allows cybercriminals to execute arbitrary commands against the LB-Link wireless router. Finally, the last vulnerability (CVE-2023-26802) is caused by a lack of input sanitization by DCN (Digital China Networks), which makes way for remote code execution.
Using these vulnerabilities, IZ1H9 was able to take full control of devices and perform any tasks that had been programmed by the botnet’s creators. Campaigns using this variant of the Mirai botnet have been in operation since November 2021, with researchers believing all the campaigns are related.
The malware shell script downloaders are all similar, with the Mirai botnet samples using the same XOR decryption key (0xBAADF00D) and using identical functions. For both SSH and telnet channels, IZ1H9 had an embedded data section with default login credentials for brute force purposes, further linking the botnet to Mirai. Researchers also found that both Mirai and IZ1H9 used the same encryption process for login credentials, deepening the connection between the two.
Enterprises are urged to ensure that their systems are up to date and have the latest patches to prevent such a malware attack. As long as the aforementioned vulnerabilities are present, there is always a risk of a botnet infiltration. Internet of Things device owners should update their firmware, and change the default login passwords to ones that are stronger and harder to guess. Consumers should also be aware of this new threat and ensure their devices are secure.