Mirai botnet variant targets multiple IoT devices (June 28, 2023)

Ref# AL2023_52 | Date: Jun 28th 2023


A variant of the Mirai botnet was observed targeting at least 22 vulnerabilities residing in IoT devices belonging to D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear and MediaTek devices.  


This malware campaign was identified by the Unit 42 researchers at Palo Alto Networks in two ongoing campaigns that started in March and has seen a rise in activity in April and June of 2023. This Mirai variant was configured to target 22 different security vulnerabilities in various products, including routers, DVRs, NVRs, Wi-Fi communication dongles, access control systems and more. The list of vulnerabilities exploited and affected devices can be viewed in this link: Vulnerabilities 

All of the vulnerabilities exploited grants remote code execution, and the malware relies on this exploit to execute a shell script retrieved from the external host hxxp://zvub[.]us/. If successful, the script will download the botnet client that matches the architecture of the compromised device. The architectures targeted are armv4l, arm5l, arm6l, arm7l, mips, mipsel, sh4, x86_64, i686, i586, arc, m68k, and sparc. Once the botnet client is downloaded and executed, the shell script will delete the client executable file to cover its tracks and reduce detection.  

Upon execution, the botnet client allows threat actors to configure the compromised device as a botnet, where it can be used in denial-of-service (DoS) attacks. This botnet client is the only Mirai variant that can directly access the encrypted strings in the .rodata section through an index instead of setting up a string table to get the botnet clients configuration. The botnet prints listening tun0 to the console, indicating that it listens for requests through the tun0 network interface. Unit 42 also mentioned that this Mirai variant does not have the ability to brute force SSH/Telnet login credentials and relies on the threat actors to manually exploit the mentioned vulnerabilities. 

Indicators of Compromise 

Review the list of IOCs including sample hashes and IP addresses associated with this Mirai variant below: 

  1. Shell Script Downloader Samples 

> 888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8 

  1. Mirai Samples 

> b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c 

> b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3 

> 366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6 

> 413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2 

> 2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599 

> 4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0 

> 461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d 

> aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777 

> 0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915 

> eca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19 

> 3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d 

> aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089 

> 4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b 

  1. Infrastructure 

> zvub[.]us 

> 185.225.74[.]251 

> 185.44.81[.]114 

> 193.32.162[.]189 


We recommend the following tips and recommendations to lower the risk of infection from this malware campaign: 

  1. Review the list of affected devices and if you are using a device that may be vulnerable to this malware, apply the latest firmware updates/patches available from the device vendor. 

  1. Change default access credentials of your device to something unique and strong and change passwords often. 

  1. Disable remote administrative access to these devices if it is not required or in use.   

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Mirai botnet variant targets multiple IoT devices.pdf