New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits

This article explores the recent campaign of Murdoc_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei devices. The Qualys Threat Research team discovered this ongoing campaign in July 2024.

The Qualys Threat Research Unit has discovered a live campaign for the Mirai botnet, which began in July 2024 and deploys a new botnet called Murdoc_Botnet. It is a large-scale operation within the Mirai campaign, exploiting vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers.

The attackers utilized ELF and shell script execution to deploy the Murdoc_Botnet botnet sample. This technique leverages existing vulnerabilities (CVE-2024-7029, CVE-2017-17215) to download the next-stage payloads. The research began with the discovery and analysis of Murdoc_Botnet binaries used for DDOS activities. Using Qualys EDR, threat intelligence data, and open-source intelligence (OSINT), the researchers were able to attribute Murdoc_Botnet as a Mirai variant.

The researchers discovered around 1300+ active IPs and 100+ distinct servers, each tasked with deciphering its activities and establishing communication with compromised IPs/servers. These servers facilitated the distribution of Mirai malware. These servers played a role in distributing the Mirai malware.

Further analysis revealed the presence of over 100 command-and-control servers tasked with establishing communication with infected devices. These servers also facilitated the distribution of Mirai malware.

As per Qualys Threat Research’s technical blog post, shared exclusively with Hackread.com ahead of its publishing, Murdoc_Botnet targets *nix systems, particularly vulnerable AVTECH and Huawei devices. The malware primarily uses bash scripts that leverage GTFOBins to fetch payloads, grant them execution permission using chmod, and then execute and remove them.

Moreover, it fetches the next-stage payloads using existing exploits. The infection process involves exploiting vulnerabilities to download shell scripts. These scripts are then executed on the compromised devices, which in turn download the new variant of Mirai botnet (Murdoc_Botnet).

Malaysia, Thailand, Mexico, and Indonesia have been identified as the most affected countries in this campaign. To protect against Murdoc_Botnet attacks, organizations should monitor suspicious processes, avoid executing shell scripts from untrusted sources, and keep systems and firmware updated with the latest patches. These measures can significantly reduce the risk of infection from Murdoc_Botnet and Mirai variants.

1. Mirai botnet exploiting Azure OMIGOD vulnerabilities
2. Mirai-like Botnet Targets Zyxel NAS Devices in Europe
3. Mirai-Inspired Gorilla Botnet Hits Devices in 100 Countries
4. Androxgh0st Botnet Hits IoT Devices with 27 Vulnerabilities
5. Tiny Mantis Launch More Powerful DDoS Attacks Than Mirai