Researchers from Palo Alto Networks’ Unit 42 have spotted a new variant of the infamous Mirai botnet, spreading to Linux-based servers and IoT devices in order to create an enormous swarm of DDoS grunts.
In order to infect the endpoints with the new V3G4 botnet, the attackers would brute-force weak, or default telnet/SSH credentials, and then abuse one of the 13 known vulnerabilities to remotely execute code and install the malware.
So far, between July 2022 and December 2022, the researchers spotted three different campaigns, all of which seem to originate from the same threat actor. The reasoning here is that the hardcoded C2 domains contain the same string in all three, the shell script downloads are similar, and the botnet clients are all reportedly similar in features.
Fighting against other botnets
The botnet comes with a number of interesting features, including one in which it tries to terminate, among other processes, those belonging to other botnet families. So, it’s safe to assume that the threat actors are trying to hijack already compromised endpoints from other threat actors.
Furthermore, unlike other Mirai variants which use just one XOR encryption key, V3G4 uses four, making it harder for cybersecurity researchers to reverse-engineer the malware.
The best way to protect against V3G4 is to make sure your Linux-powered endpoints are up-to-date and invulnerable not just to the 13 flaws being abused in these campaigns, but also any other flaws known to the wider cybercriminal community.
Besides patching, having a strong firewall, as well as a cybersecurity solution, will help defend against any malware deployment attempts.
Linux devices, as widespread as they are, are a popular target for threat actors looking to create and expand a botnet. Everything from routers, to home cameras, to smart home devices, can be used as a bot and deployed in distributed denial of service attacks.
- Stay safe online with the best firewall tools