Hackers target Linux-based servers using a Mirai botnet variant

Posted on February 18, 2023 at 10:21 AM

Hackers target Linux-based servers using a Mirai botnet variant

A Mirai botnet variant has targeted Linux-based servers. The variant is tracked as ‘V3G4”, which targets 13 vulnerabilities in Linux servers and other internet of things (IoT) devices. The botnet exploits these vulnerabilities to launch distributed denial-of-service (DDoS) campaigns.

Linux devices targeted by a Mirai malware variant

The threat actor spreads this malware through brute force attacks deployed on weak or default telnet or SSH credentials. The attackers later exploit the hardcoded flaws for remote code execution on the targeted devices. After the hacker successfully launches the attack, the malware will infect the device before being recruited into the botnet swarm.

This malware was detected in three hacking campaigns. The campaigns were reported by researchers at Palo Alto Networks (Unit 42), who said they monitored the malicious activity between July 2022 and December 2022.

According to the researchers, the three hacking campaigns originated from the same hackers. This was because the hardcoded C2 domains had the same string, and the shell script downloads were also similar. The botnet clients used in all three attacks had similar functionalities.

As aforementioned, the V3G4 attacks exploited 13 vulnerabilities. After the attackers compromised the targeted device, the Mirai-based payload was dropped into the system. This payload attempted to link to the hardcoded C2 address. The botnet also tries to end the processes originating from a hardcoded list. This list is also inclusive of other competing botnet malware families.

One of the main features that differentiate V3G4 from most Mirai variants is that this malware deploys four types of XOR encryption keys. It uses a different strategy instead of depending on a single one. The hackers then reverse engineer the code behind the malware, which makes it challenging to decode the functionalities.

This malware can easily spread from one device to the other. It does this through a telnet or SSH brute-forcer that attempts to link through weak and default credentials. The researchers that discovered this exploit noted that the earlier versions of this malware deployed telnet/SSH brute-forcing and exploited vulnerabilities to spread to other systems. However, the later malware versions did not depend on the scanner.

The compromised devices issued DDoS commands directly from the C2 servers. They also launched their attacks using TCP, USDP, SYN, and HTTP flooding methods. V3G4 also likely operates a DDoS-as-a-service business. The researchers noted that there was a likelihood that they sold DDoS services to clients that wanted to disrupt the services offered by specific websites and online services.

However, the malware variant has not been linked to any particular service. Nevertheless, the Mirai malware family is persistent and used by quite a number of threat actor groups. Therefore, users must protect their devices from Mirai-like infections by proactive measures such as changing the default passwords and installing the latest security updates.

Medusa botnet bow operates like a Mirai variant

In a related development, researchers recently detected a new version of the Medusa botnet developed on Mirai code being exploited in the wild. The new variant featured a ransomware module and a Telnet brute-forcer. Medusa is an old malware variant advertised in the darknet since 2015. In 2017, the malware was upgraded with HTTP-based DDoS capabilities.

According to Cyble, the new variant exploited in the wild originated from the original malware strain. It is the latest version of this botnet, and it operates using a leaked source code of the Mirai botnet. The new version also came with Linux targeting functions and an option to launch extensive DDoS attacks. 

The Medusa botnet is also being marketed as a malware-as-a-service (MaaS) that can launch DDoS attacks or complete mining functions through a dedicated portal. This malware promised service stability, support for client anonymity, and a user-friendly API. The cost of the service also varies depending on specific needs.

An interesting feature of this malware is that it also comes with a ransomware capability. This function allows the malware to search all the directories to detect valid file types that can be used for encryption. Some of the files targeted by the malware largely include documents and vector design files. The new version of the Medusa botnet also comes with a feature to steal user data. However, the data is stolen after being encrypted. It collects basic information on the target system to identify the victim and assess the resources that can be used for mining and DDoS campaigns.

Hackers target Linux-based servers using a Mirai botnet variant
Article Name
Hackers target Linux-based servers using a Mirai botnet variant
A Mirai botnet variant is being used to target Linux servers. The malware targets 13 vulnerabilities in Linux servers and IoT devices. The botnet is exploiting the vulnerabilities to launch DDoS campaigns.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading