InfectedSlurs Botnet Spreads Mirai via Zero-Days

The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version number have internet slang roots, it was originally assumed that the devices discovered in the wild that fit the profile we were looking for must be a honeypot or a joke. When we looked at these devices through a broader lens, we were able to find some more hints about what we were seeing. In some cases, devices found in the wild with enabled HTTPS had additional information leakage from the HTTPS certificate Subject line that pointed us to a specific domain, which we traced back to an NVR manufacturer. The SIRT did a quick check for CVEs known to impact this vendor's NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild. We decided to look a bit closer at the campaign that was building the underlying botnet that was leveraging this new zero-day exploit by going back to our honeypot, malware, and botnet tracking logs. The device identification in this second instance was made much simpler because the device's default administrative credentials included the device model number. We've not gotten a full report back from the NVR vendor of the device models and versions that are believed to be impacted. The SIRT estimates the NVR vendor produces roughly 100 NVR/DVR/IP camera products - with no version information leakage from public-facing devices in the wild, it's difficult to know exactly which ones are and aren't impacted. The router vendor produces multiple switches and routers and although the exploit has been confirmed for the first device by the Japanese manufacturer via JPCERT coordination, we've not been told whether it is the only model that was impacted in their overall lineup. We plan to publish a follow-up blog post with additional details and deeper coverage of the devices and exploit payloads once the vendors and CERTs feel confident that responsible disclosure, patching, and remediation have run their course. This activity derives from a Mirai botnet activity cluster that appears to primarily use the older JenX Mirai malware variant, made famous by the utilization of Grand Theft Auto to recruit Internet of Things devices to do the malicious bidding. There were many command and control domains identified that have overlaps in IP address resolution, as well as the exact same dates for infrastructure changes, that support this connection. Interestingly, many of those IP addresses have a limited number of C2 domain resolutions. It is common for domains to point to an IP that's hosting thousands of other domains but, in this case, many of the IPs were only pointing to a few different domains, typically all belonging to their infrastructure, with the first and last seen dates often changing at the same time for several domains. The C2 domains in this cluster can tell us a few things about the individual(s) behind this: The naming conventions often contained racial epithets, offensive language, or generally inappropriate terms. The JenX Mirai variant, like many Mirai variants, prints a unique hard-coded string to the console when compromising a machine. One of the associated JenX Mirai malware samples available on VirusTotal with that console string came from the C2 IP address 45.142.182[.]96, and called out to the domain iaxtpa[. Many of the C2 addresses and the C2 domain resolutions align with IPs that fall under the Classless Inter-Domain Routing block 5.181.80.0/24. Fig. There was additional evidence of links among some of the domains with IP resolution overlap, changing to different IPs at the exact times and dates. We discovered mentions of some of the C2 infrastructure from a deleted Telegram user in the notorious DDoS marketplace channel DStatCC. On October 11, 2023, the user asked other users in the chat to "Bin battle" him and referenced several C2 IP addresses and domains that match the activity cluster there. The user referred to the domain "Infectedchink[.]cat" as their "Old ICANN domain," and said that their current domains are "Running over OpenNIC," which is an alternative DNS network that provides access to domains not administered by the Internet Corporation for Assigned Names and Numbers. The websites listed in the post contained equally troubling naming conventions of "Shetoldmeshewas12" or "Shetoldmeshewas13" with varying top-level domains such as ". In late August 2023, a threat actor dump on PasteBin showed several of the C2 domains in this cluster, including "Infectedchink[.]cat". The C2 domains, IP addresses, hashes, and ports used are all aligned with the activity in this report. The Akamai SIRT is working with CISA/US-CERT, and JPCERT to notify vendors of the impacted devices. First and foremost, check for default credentials on IoT devices and change them if they exist. If you find devices believed to be vulnerable in your environments, isolate them if possible and investigate for potential compromise. The importance of changing a device's default password cannot be overstated.

This Cyber News was published on www.akamai.com. Publication date: Thu, 30 Nov 2023 22:30:05 +0000