Unit 42 researchers have observed threat actors leveraging a Mirai botnet variant called V3G4 in three campaigns targeting 13 unpatched vulnerabilities found in a range of IoT devices to propagate. A successful exploit could lead to remote code execution.
The researchers examined these campaigns from July to December 2022 and found that, upon exploit, “the wget and curl utilities automatically executed to download Mirai client samples from malware infrastructure and then executed the downloaded bot clients.”
“V3G4 inherits its most significant feature from the original Mirai variant — a data section with embedded default login credentials for the scanner and brute force purposes,” according to researchers. “Like the original Mirai, it also encrypts all credentials with XOR key 0x37.”
Mirai is a well-known threat, known for evolving its tactics to exploit devices to its control and for expanding its botnet. Researchers have previously noted the variant leveraged effective brute forcing tactics and propagation techniques — highly effective for botnet operators.
The threat actors behind Mirai were most recently observed exploiting a known critical vulnerability, CVE-2022-46169, found in the Cacti device monitoring tool. The attacks aimed to deliver Mirai malware and a PERL-based IRC botnet. Successful exploits spurred the launch of a host-based reverse shell.
According to BleepingComputer, a new Mirai-based variant emerged in the last month to distribute the Medusa denial-of-service botnet. The campaign has been dubbed a malware-as-a-service for DDoS. However, the actors appear to be working out bugs in the variant.
In the latest campaigns,