Full Report
Murdoc_Botnet used Mirai malware to exploit IoT vulnerabilities, targeting devices globally
Analysis Summary
# Tool/Technique: Murdoc_Botnet (Mirai Variant)
## Overview
Murdoc\_Botnet is a significant botnet campaign utilizing a new variant of the infamous Mirai malware. Its primary purpose is to infect Internet of Things (IoT) devices, specifically AVTECH cameras and Huawei routers, to leverage their resources for large-scale distributed denial-of-service (DDoS) attacks.
## Technical Details
- Type: Malware family variant (Botnet)
- Platform: IoT devices (Specifically AVTECH Cameras and Huawei HG532 routers)
- Capabilities: Exploiting vulnerabilities to gain access, deploying shell scripts and ELF binaries, enrolling devices into a botnet, and launching DDoS attacks.
- First Seen: July 2024 (Campaign tracing provided by Qualys analysis)
## MITRE ATT&CK Mapping
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol
* **TA0008 - Lateral Movement**
* T1021 - Remote Services (Implicitly, based on exploitation methods)
* **TA0003 - Persistence**
* T1543 - Create or Modify System Process (Via deployment scripts)
* **TA0002 - Execution**
* T1059.004 - Command and Scripting Interpreter: Unix Shell
## Functionality
### Core Capabilities
- Exploitation of known vulnerabilities (e.g., CVE-2024-7029, CVE-2017-17215) in target IoT devices to achieve initial compromise.
- Downloading and executing malware payloads via shell scripts.
- Establishing a persistent presence on the compromised device.
- Enrolling the device into the Murdoc\_Botnet structure under the coordination of C2 servers.
### Advanced Features
- Demonstrated enhanced capabilities over previous Mirai versions, focused specifically on exploiting high-value IoT targets (cameras and routers).
- Coordination via over 100 active Command-and-Control servers.
- Capabilities specifically tailored toward executing large-scale DDoS attacks once devices are compromised.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: ELF binaries, shell scripts (used for initial infiltration and setup)
- Registry Keys: [Not applicable/provided for these platforms]
- Network Indicators: Over 100 Command-and-Control servers coordinating activities (IPs/domains defanged/omitted as they were not explicitly listed).
- Behavioral Indicators: Unusual process execution involving shell scripts downloading and running foreign binaries; significant outbound network traffic associated with DDoS activity originating from IoT devices.
## Associated Threat Actors
- Unspecified threat actors driving the Murdoc\_Botnet campaign (identified by researchers at Qualys). The malware is a variant of Mirai, which is often used by multiple financially motivated or hacktivist groups.
## Detection Methods
- Signature-based detection: Confirmed detection by Qualys's Endpoint Detection and Response (EDR) solution.
- Behavioral detection: Monitoring for unusual processes, unauthorized execution of shell scripts, and network activity originating from untrusted sources on IoT devices.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Monitoring unusual processes and network activities from untrusted sources on IoT devices and network infrastructure.
- Avoiding the execution of unknown shell scripts.
- Keeping devices (especially cameras and routers) updated with the latest firmware and security patches.
- Applying fixes for known vulnerabilities such as CVE-2024-7029 and CVE-2017-17215.
## Related Tools/Techniques
- Mirai (Parent malware family)
- IoT Botnets
- Exploitation of CVE-2024-7029
- Exploitation of CVE-2017-17215