A recently identified Mirai-based malware botnet named ‘InfectedSlurs’ has been utilizing two zero-day remote code execution (RCE) vulnerabilities to infiltrate routers and video recorder (NVR) devices. The botnet, discovered by Akamai, employs compromised devices to form a distributed denial-of-service (DDoS) swarm, presumably for financial gain. Initially observed in late October 2023, the botnet’s origins trace back to late 2022, with vendors of the affected devices yet to address the exploited vulnerabilities. The specific details of the zero-day flaws are undisclosed, but their exploitation raises concerns about potential security risks.
Akamai’s Security Intelligence Response Team (SIRT) stumbled upon ‘InfectedSlurs’ in October 2023, recognizing suspicious activity on an infrequently used TCP port within their honeypots. The malware engages in low-frequency probes seeking authentication through POST requests and subsequent command injection attempts.
An internet-wide scan revealed that the targeted devices were linked to a specific NVR manufacturer, who acknowledged the existence of a new zero-day exploit actively exploited in the wild. The botnet also targets a popular wireless LAN router, exploiting another zero-day RCE flaw, with security updates expected in December 2023.
InfectedSlurs,’ a variant of the Mirai malware, exhibits a concentration in its command and control (C2) infrastructure. Offensive language in the C2 domains and hardcoded strings led to its distinctive name. The malware supports hailBot operations and has been associated with a now-deleted Telegram account, showcasing thousands of bots in the Telnet protocol.
Analysis reveals minimal code modifications compared to the original Mirai botnet, indicating its self-propagating nature as a DDoS tool that supports various attack vectors. The lack of device patches adds urgency to the situation, emphasizing the importance of temporary disruption through device reboots.
