In the ever-evolving landscape of cybersecurity threats, a new and active malware campaign has emerged, employing not one but two zero-day vulnerabilities. These vulnerabilities come equipped with remote code execution (RCE) capabilities, enabling the malicious actors behind them to ensnare routers and video recorders, effectively creating a Mirai-based distributed denial-of-service (DDoS) botnet.
The Malicious Payload
This nefarious payload primarily targets routers and network video recorder (NVR) devices that still retain their default admin credentials. Once successful in its infiltration, the payload proceeds to install various Mirai variants, thus compounding the potential for harm. It’s worth noting that these findings were disclosed by Akamai in a recent advisory.
The Shroud of Secrecy
To prevent further exploitation of these vulnerabilities, the specific details regarding the flaws remain undisclosed for the time being. This decision allows the affected vendors ample time to develop and release patches, thwarting any potential exploitation by other threat actors. It’s expected that the fixes for one of the vulnerabilities will be rolled out next month, providing some respite in the ongoing battle against this malicious campaign.
The Discovery
The first inklings of this campaign came to light when the web infrastructure and security company Akamai stumbled upon it in late October 2023. To date, the perpetrators behind these attacks remain unidentified, shrouding the campaign in an aura of mystery.
The InfectedSlurs Botnet
The botnet responsible for these attacks has earned the ominous moniker “InfectedSlurs.” This name derives from the unsettling presence of racial and offensive language observed within its command-and-control (C2) servers and hard-coded strings. InfectedSlurs is, in fact, a variant of the notorious JenX Mirai malware, which first came to our attention in January 2018. Akamai has also highlighted the existence of additional malware samples seemingly connected to the hailBot Mirai variant, a newcomer that emerged in September 2023, according to a recent NSFOCUS analysis.
The hailBot Variant
hailBot, developed from the Mirai source code, derives its name from the string output “hail china mainland.” This variant showcases its ability to propagate through the exploitation of vulnerabilities and weak passwords, underlining its potential for widespread disruption.
Unmasking the Web Shell
Akamai has also unveiled a sophisticated web shell known as “wso-ng,” an advanced iteration of WSO (short for “web shell by oRb”). This web shell seamlessly integrates with legitimate tools such as VirusTotal and SecurityTrails. What sets it apart is its stealthy approach of concealing the login interface behind a seemingly innocuous 404 error page.
Advanced Reconnaissance
One of the most notable features of this web shell is its advanced reconnaissance capabilities. It can retrieve AWS metadata for lateral movement and is proficient at seeking out potential Redis database connections, potentially leading to unauthorized access to sensitive application data. Microsoft has previously highlighted the grave implications of web shells, which enable attackers to run commands on servers for data theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activities, all while maintaining a persistent presence within an affected organization.
Challenging Attribution
The adoption of off-the-shelf web shells is a tactic increasingly favored by threat actors. It serves the dual purpose of challenging attribution efforts and allowing them to operate covertly. This tactic is often associated with cyber espionage groups specializing in intelligence gathering.
A Familiar Tactic
In line with other attackers in the cybersecurity arena, the use of compromised yet legitimate domains for command and control (C2) activities and malware distribution is a common strategy. A notable example from August 2023 involved compromised WordPress websites, which conditionally redirected visitors to intermediary C2 servers and utilized a dictionary domain generation algorithm (DDGA). This activity was attributed to a threat actor known as VexTrio.
In the relentless arms race between cybersecurity professionals and threat actors, staying informed about emerging threats and vulnerabilities remains paramount. As the battle unfolds, vigilance and timely patching of known vulnerabilities will continue to be our strongest defense against such malicious campaigns.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.