A recently uncovered malware campaign is capitalizing on two undisclosed zero-day vulnerabilities, each equipped with remote code execution (RCE) capabilities, to ensnare routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet.
According to a recent advisory from Akamai, the malicious payload specifically targets routers and network video recorder (NVR) devices employing default admin credentials, subsequently deploying Mirai variants upon successful infiltration.
To facilitate timely patching and thwart potential exploitation by other threat actors, details regarding the vulnerabilities are being kept confidential, with both affected vendors expected to release patches, one of which is slated for shipment next month.
Akamai first detected these attacks against its honeypots in late October 2023, although the identity of the perpetrators remains unknown.
The botnet responsible for this campaign, codenamed InfectedSlurs, gained its moniker due to the incorporation of racial and offensive language within the command-and-control (C2) servers and hard-coded strings. This variant, a JenX Mirai malware, initially surfaced in January 2018. Akamai also uncovered additional malware samples associated with the hailBot Mirai variant, which emerged in September 2023, as per NSFOCUS’s recent analysis.
HailBot, an evolution of Mirai’s source code, derives its name from the string output “hail china mainland” and is recognized for its ability to propagate via exploiting vulnerabilities and weak passwords.
Concurrently, Akamai disclosed the existence of a web shell known as wso-ng, characterized as an “advanced iteration” of WSO. This malicious tool integrates with legitimate services such as VirusTotal and SecurityTrails while concealing its login interface behind a deceptive 404 error page to evade detection.
Notably, wso-ng exhibits sophisticated reconnaissance capabilities, including retrieving AWS metadata for lateral movement and seeking potential Redis database connections to gain unauthorized access to sensitive application data. The deployment of web shells enables attackers to execute commands on servers, potentially leading to data theft, credential compromise, lateral movement, or the introduction of additional payloads.
The tactic of employing off-the-shelf web shells serves as a means for threat actors to challenge attribution efforts and operate discreetly, reminiscent of cyber espionage groups specializing in intelligence gathering. Additionally, attackers frequently utilize compromised yet legitimate domains for command and control purposes and malware distribution, exemplified by a widespread attack disclosed by Infoblox in August 2023, involving compromised WordPress websites redirecting visitors to intermediary C2 and dictionary domain generation algorithm (DDGA) domains. The attributed actor in this case was VexTrio.
CyberSec84 | Cybersecurity news. 
Leave a comment