A Mirai botnet variant has been discovered exploiting a newly disclosed security flaw impacting 4-Religion industrial routers since early November 2024 with the purpose of conducting distributed denial-of-service (DDoS) assaults.
The botnet maintains roughly 15,000 every day energetic IP addresses, with the infections primarily scattered throughout China, Iran, Russia, Turkey, and the USA.
Exploiting an arsenal of over 20 identified security vulnerabilities and weak Telnet credentials for preliminary entry, the malware is thought to have been energetic since February 2024. The botnet has been dubbed “gayfemboy” in reference to the offensive time period current within the supply code.
QiAnXin XLab stated it noticed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based 4-Religion to ship the artifacts as early as November 9, 2024.
The vulnerability in query is CVE-2024-12856 (CVSS rating: 7.2), which refers to an working system (OS) command injection bug affecting router fashions F3x24 and F3x36 by profiting from unchanged default credentials.
Late final month, VulnCheck informed The Hacker Information that the vulnerability has been exploited within the wild to drop reverse shells and a Mirai-like payload on compromised gadgets.
Among the different security flaws exploited by the botnet to increase its attain and scale embody CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957.
As soon as launched, the malware makes an attempt to cover malicious processes and implements a Mirai-based command format to scan for weak gadgets, replace itself, and launch DDoS assaults towards targets of curiosity.
DDoS assaults leveraging the botnet have focused tons of of various entities every day, with the exercise scaling a brand new peak in October and November 2024. The assaults, whereas lasting between 10 and 30 seconds, generate visitors round 100 Gbps.
The disclosure comes weeks after Juniper Networks warned that Session Good Router (SSR) merchandise with default passwords are being focused by malicious actors to drop the Mirai botnet malware. Akamai has additionally revealed Mirai malware infections that weaponize a distant code execution flaw in DigiEver DVRs.
“DDoS has grow to be one of the vital widespread and damaging types of cyber assaults,” XLab researchers stated. “Its assault modes are various, assault paths are extremely hid, and it could make use of constantly evolving methods and methods to conduct exact strikes towards varied industries and techniques, posing a major menace to enterprises, authorities organizations, and particular person customers.”
The event additionally comes as menace actors are leveraging vulnerable and misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a cryptocurrency miner known as PacketCrypt.
