A Mirai botnet variant has been discovered exploiting a newly disclosed safety flaw impacting 4-Religion business routers since early November 2024 with the objective of carrying out allotted denial-of-service (DDoS) assaults.
The botnet maintains roughly 15,000 day-to-day energetic IP addresses, with the infections essentially scattered throughout China, Iran, Russia, Turkey, and america.
Exploiting an arsenal of over 20 recognized safety vulnerabilities and susceptible Telnet credentials for preliminary get entry to, the malware is understood to had been energetic since February 2024. The botnet has been dubbed “gayfemboy” in connection with the offensive time period provide within the supply code.
QiAnXin XLab stated it noticed the malware leveraging a zero-day vulnerability in business routers manufactured by way of China-based 4-Religion to ship the artifacts as early as November 9, 2024.
The vulnerability in query is CVE-2024-12856 (CVSS ranking: 7.2), which refers to an working device (OS) command injection worm affecting router fashions F3x24 and F3x36 by way of profiting from unchanged default credentials.
Overdue remaining month, VulnCheck informed The Hacker Information that the vulnerability has been exploited within the wild to drop opposite shells and a Mirai-like payload on compromised units.
One of the crucial different safety flaws exploited by way of the botnet to increase its achieve and scale come with CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957.
As soon as introduced, the malware makes an attempt to cover malicious processes and implements a Mirai-based command layout to scan for susceptible units, replace itself, and release DDoS assaults in opposition to objectives of hobby.
DDoS assaults leveraging the botnet have centered loads of various entities every day, with the job scaling a brand new height in October and November 2024. The assaults, whilst lasting between 10 and 30 seconds, generate visitors round 100 Gbps.
The disclosure comes weeks after Juniper Networks warned that Consultation Good Router (SSR) merchandise with default passwords are being centered by way of malicious actors to drop the Mirai botnet malware. Akamai has additionally printed Mirai malware infections that weaponize a faraway code execution flaw in DigiEver DVRs.
“DDoS has develop into one of the not unusual and harmful varieties of cyber assaults,” XLab researchers stated. “Its assault modes are numerous, assault paths are extremely hid, and it could make use of steadily evolving methods and strategies to behavior actual moves in opposition to quite a lot of industries and methods, posing an important risk to enterprises, govt organizations, and person customers.”
The improvement additionally comes as risk actors are leveraging prone and misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a cryptocurrency miner known as PacketCrypt.