An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet.
“The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” Akamai said in an advisory published this week.
Details of the flaws are currently under wraps to allow the two vendors to publish patches and prevent other threat actors from abusing them. The fixes for one of the vulnerabilities are expected to be shipped next month.
Akamai said it also identified additional malware samples that appeared to be linked to the hailBot Mirai variant, the latter of which emerged in September 2023, according to a recent analysis from NSFOCUS.
“The hailBot is developed based on Mirai source code, and its name is derived from the string information ‘hail china mainland’ output after running,” the Beijing-headquartered cybersecurity firm noted, detailing its ability to propagate via vulnerability exploitation and weak passwords.
One of the notable reconnaissance capabilities of the web shell involves retrieving AWS metadata for subsequent lateral movement as well as searching for potential Redis database connections so as to obtain unauthorized access to sensitive application data.
Another common tactic adopted by attackers is the use of compromised-but-legitimate domains for C2 purposes and malware distribution.
In August 2023, Infoblox disclosed a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary C2 and dictionary domain generation algorithm (DDGA) domains. The activity has been attributed to a threat actor named VexTrio.
Source: https://thehackernews.com/
