A new variant of the Mirai botnet has been identified by researchers at Palo Alto Networks’ Unit 42, targeting nearly two dozen vulnerabilities to compromise devices from brands like D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. The malware, observed in ongoing campaigns since March, focuses on exploiting 22 known security vulnerabilities present in routers, DVRs, NVRs, WiFi dongles, thermal monitoring systems, access control systems, and solar power monitors. The attacks, evolving over time, have seen a spike in activity during April and June. The botnet developers continuously enhance the malware by adding code for exploiting new vulnerabilities.
The attack methodology involves exploiting one of the identified flaws, initiating the execution of a shell script from an external source. This script downloads the botnet client tailored to the compromised device’s architecture, covering a wide range of systems. Notably, the malware employs a unique approach by directly accessing encrypted strings in the .rodata section, bypassing the standard method of setting up a string table for configuration. This tactic enhances the malware’s speed and stealthiness, making it less prone to detection by security tools. The campaign underscores the persistent threat of Mirai botnet variants targeting a diverse array of vulnerabilities in connected devices.
Reference:
