A Mirai botnet variant has been discovered exploiting a newly disclosed safety flaw impacting 4-Religion industrial routers since early November 2024 with the purpose of conducting distributed denial-of-service (DDoS) assaults.
The botnet maintains roughly 15,000 each day energetic IP addresses, with the infections primarily scattered throughout China, Iran, Russia, Turkey, and the US.
Exploiting an arsenal of over 20 identified safety vulnerabilities and weak Telnet credentials for preliminary entry, the malware is understood to have been energetic since February 2024. The botnet has been dubbed “gayfemboy” in reference to the offensive time period current within the supply code.
QiAnXin XLab mentioned it noticed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based 4-Religion to ship the artifacts as early as November 9, 2024.
The vulnerability in query is CVE-2024-12856 (CVSS rating: 7.2), which refers to an working system (OS) command injection bug affecting router fashions F3x24 and F3x36 by benefiting from unchanged default credentials.
Late final month, VulnCheck instructed The Hacker Information that the vulnerability has been exploited within the wild to drop reverse shells and a Mirai-like payload on compromised gadgets.
A number of the different safety flaws exploited by the botnet to increase its attain and scale embody CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957.
As soon as launched, the malware makes an attempt to cover malicious processes and implements a Mirai-based command format to scan for weak gadgets, replace itself, and launch DDoS assaults in opposition to targets of curiosity.
DDoS assaults leveraging the botnet have focused a whole lot of various entities every day, with the exercise scaling a brand new peak in October and November 2024. The assaults, whereas lasting between 10 and 30 seconds, generate visitors round 100 Gbps.
The disclosure comes weeks after Juniper Networks warned that Session Good Router (SSR) merchandise with default passwords are being focused by malicious actors to drop the Mirai botnet malware. Akamai has additionally revealed Mirai malware infections that weaponize a distant code execution flaw in DigiEver DVRs.
“DDoS has turn out to be some of the frequent and damaging types of cyber assaults,” XLab researchers mentioned. “Its assault modes are numerous, assault paths are extremely hid, and it might make use of constantly evolving methods and strategies to conduct exact strikes in opposition to numerous industries and techniques, posing a big menace to enterprises, authorities organizations, and particular person customers.”
The event additionally comes as menace actors are leveraging vulnerable and misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a cryptocurrency miner known as PacketCrypt.
