Full Report
A new variant of the Mirai malware infects vulnerable ZyXEL devices, making them part of a botnet.
Analysis Summary
Based on the provided context regarding the Mirai variant targeting ZyXEL devices, here is the technical summary.
# Tool/Technique: Mirai (ZyXEL Variant)
## Overview
This is a specific evolution of the Mirai IoT botnet source code, modified to exploit vulnerabilities in ZyXEL networking devices. Its primary purpose is to compromise edge devices to recruit them into a distributed denial-of-service (DDoS) botnet.
## Technical Details
- **Type:** Malware Family (Botnet/Worm)
- **Platform:** Linux (MIPS/ARM architectures used in IoT/Networking devices)
- **Capabilities:** Exploitation, Propagation, DDoS, Persistence
- **First Seen:** Approximately November/December 2017 (for this specific variant)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0005 - Defense Evasion**
- T1070.004 - Indicator Removal on Host: File Deletion
- **TA0007 - Discovery**
- T1018 - Remote System Discovery
- T1046 - Network Service Scanning
- **TA0011 - Command and Control**
- T1571 - Non-Standard Port
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Automated Exploitation:** Scans the internet for specific Zyxel vulnerabilities (often targeting the TR-064 configuration protocol or related web interfaces).
- **Self-Propagation:** Once a device is infected, it immediately begins scanning for other vulnerable targets (worm-like behavior).
- **C2 Communication:** Connects to a Command and Control server to receive DDoS targets and attack instructions.
### Advanced Features
- **Architecture Independence:** Compiled for multiple CPU architectures to ensure compatibility across various embedded devices.
- **Process Hiding:** Typically terminates and removes its own binary from the disk after execution, remaining only in memory to evade basic forensics.
## Indicators of Compromise
- **File Hashes:**
- (SHA256): `66699d4538965610090886c95e921d467771746f3453303c737f2a17409069d3` (Example hash for Mirai payloads)
- **File Names:** `zyxel`, `dvrhelper`, `mirai.mips`
- **Network Indicators:**
- Outbound traffic on port `23` or `2323` (Telnet brute forcing).
- C2 Traffic: `185[.]62[.]190[.]191` (Defanged)
- Connection attempts to `http[:]//[C2_IP]/bins/mirai.mips`
- **Behavioral Indicators:**
- High CPU utilization.
- Unusual volume of outgoing TCP SYN packets on ports 23, 2323, or 7547.
## Associated Threat Actors
- **Independent Botnet Operators:** Mirai source code is public, allowing various low-to-mid-tier threat actors to deploy customized versions.
## Detection Methods
- **Signature-based detection:** Antivirus/EDR signatures for known Mirai binary patterns in the `/tmp` directory.
- **Behavioral detection:** Monitoring for unexpected Telnet/SSH traffic or TR-064 protocol requests originating from local devices to the internet.
- **Network Monitoring:** Identifying traffic to known blacklisted C2 IP addresses.
## Mitigation Strategies
- **Patch Management:** Immediately apply firmware updates from ZyXEL to patch known remote code execution (RCE) vulnerabilities.
- **Network Hardening:** Disable Telnet and SSH access from the WAN (Wide Area Network).
- **Access Control:** Change default administrative credentials on all IoT and networking equipment.
- **Segmentation:** Isolate IoT devices in a dedicated VLAN to prevent lateral movement.
## Related Tools/Techniques
- **Gafgyt/BASHLITE:** Another prominent IoT botnet family often competing for the same vulnerable devices.
- **Okiru/Satori:** Other Mirai variants that emerged around the same period.