New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems.

“Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” Palo Alto Networks’ Unit 42 Threat Intelligence Team said in a write-up.

The rash of vulnerabilities being exploited include:

  • VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
  • CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
  • CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
  • CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
  • CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
  • CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability

Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with MooBot.

The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.

Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that’s then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.

Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.

“The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,” the researcher said.

New ZHtrap Botnet…