3 new attacks by Wicked Mirai botnet

In April 2018, a report revealed how university students developed what would become the WannaCry ransomware.

But before it attacked millions of devices, WannaCry was the Mirai botnet–a DDoS army that was used by, among others, university students that wanted an edge in Minecraft.

This another variant of the Mirai botnet has appeared on the scene, but this one has a twist. The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.

This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices. The original Mirai used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.

This botnet, known for its devastating ransomware WannaCry, has recently added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

Fortinet’s FortiGuard Labs team analyzed the botnet and found that the exploits it uses are matched to the ports it uses.

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”