Kang-Wei Chang
Security Research Engineer
Blog

Mirai is still alive and using multiple old exploits on home routers

April 15, 2019 by Kang-Wei Chang

Ixia’s Application Threat Intelligence (ATI) security researchers continue to hunt for the latest security threats that include exploits and malware. Under recent monitoring of our honeypots, we uncovered a new attack campaign that uses Mirai malware. It combines multiple exploits that target home routers. Below we'll cover some attacks of this type that we see in the wild, showing how even old attacks still have relevance today.

Exploit 1: Realtek

This exploit targets Realtek SDK’s miniigd SOAP service. Successful exploitation of a five-year-old vulnerability leads to remote code execution. The payload of the RCE uses wget to download the  “frosty.mips” malware and then execute it.

1

Exploit 2: Huawei 

This exploit targets Huawei’s routers. Successful exploitation leads to remote code execution. Under remote command execution payload, wget downloads the malware “skere” and executes it on the system. This time the vulnerability is only 1-2 years old. 

2

3

Last year, an ATI researcher provided a detailed analysis of this infection variant here.  

Exploit 3: Linksys

This exploit targets Linksys E-series routers. Successful exploitation of a six-year-old vulnerability leads to remote code execution. This malware sample is called “Karu.mps1”. As in the other examples, wget downloads the malware and then runs it in the local busybox environment.

4

5

Mirai bots didn’t just hit the Internet and then disappear a little later. They’ve shown up and evolve to find more devices to exploit, as currently exploitable targets are taken offline or stop being vulnerable. They started with brute forcing telnet, moved to SSH, and then web exploits. As more exploits are patched, they keep digging through the treasure trove to find new IoT devices to take advantage of. Until manufacturers and service providers start taking IoT product security seriously from the ground up, these attacks are going to keep coming and causing damage.

ATI will have some of the referenced malware samples released in April’s malware package as well as future Strike support for the associated vulnerabilities.

ATI has a history of following Mirai’s activities with some detail. 

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.