Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


New Mirai Malware Variant Infects Linux Devices to Build DDoS Botnet

A new Mirai botnet variant tracked as ‘V3G4’ targets 13 vulnerabilities in Linux-based servers and IoT devices to use in Distributed Denial of Service (DDoS) attacks. The malware spreads by brute-forcing weak or default telnet/SSH credentials and exploiting hardcoded flaws to perform remote code execution on the target devices. Once a device is breached, the malware infects the device and recruits it into its botnet swarm. The malware was spotted in three distinct campaigns by researchers at Palo Alto Networks (Unit 42), who reported monitoring the malicious activity between July 2022 and December 2022. Unit 42 believes all three attack waves originated from the same threat actor because the hardcoded C2 domains contain the same string, the shell script downloads are similar, and the botnet clients used in all attacks feature identical functions. After compromising the target device, a Mirai-based payload is dropped on the system and attempts to connect to the hardcoded C2 address. The botnet also attempts to terminate a set of processes from a hardcoded list, which includes other competing botnet malware families. A characteristic that differentiates V3G4 from most Mirai variants is that it uses four different XOR encryption keys instead of just one, making reverse engineering the malware’s code and decoding its functions more challenging. When spreading to other devices, the botnet uses a telnet/SSH brute-forcer that tries to connect using default or weak credentials. Unit 42 noticed earlier malware variants used both telnet/SSH brute-forcing and vulnerability exploitation for spreading, while later samples did not use the scanner. Finally, compromised devices are issued DDoS commands directly from the C2, including TCP, UDP, SYN, and HTTP flooding methods. V3G4 likely sells DDoS services to clients who want to cause service disruption to specific websites or online services. However, this variant has not been tied to a particular service at this time.

Analyst Notes

The most effective way to defend systems against Miria and other botnet infections is to change the default password to a complex password that is unique to that device. It is also recommended to download and apply security patches when the official manufacturer releases them.