Security experts are warning of a new Mirai variant which features three exploits to target unpatched IoT endpoints.
The “Wicked” variant is named after some of the code strings found in it by researchers at Fortinet, they revealed late last week.
While the original version of Mirai used brute force techniques to compromise devices, Wicked relies on known exploits — used depending on the port the bot is connected to.
If connected to Port 8080, the malware will use a remote code execution (RCE) Netgear exploit which works on DGN1000 and DGN2200 v1 routers, and is the same tool used by the Reaper botnet to compromise target machines.
For Port 81, an RCE exploit is used that targets CCTV and DVR devices.
An old command injection vulnerability (CVE-2016-6277) is exploited via Port 8443 to compromise Netgear R7000 and R6400 devices.
For Port 80, the black hats have added a technique which hijacks compromised web servers with malicious web shells already installed.
“After a successful exploit, this bot then downloads its payload from a malicious website, in this case, hxxp://185.246.152.173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot,” explained Fortinet.
“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”
In fact, it is believed that the same author, who used the pseudonym “Wicked” in an interview last April is responsible for Owari, Sora, Omni and Wicked.
“This also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” the researchers argued.