A third variant of the Mirai-based Aquabot malware is apparently taking over Mitel phones to create a remote-controlled botnet that can fire off distributed denial of service (DDoS) attacks.
Dubbed Aquabotv3, the malware is actively exploiting a known vulnerability in the devices to access their session initiation protocol (SIP) function, according to Akamai’s Security Intelligence and Response Team.
Interestingly, this variant has a unique, never-before-seen (at least in Mirai) characteristic: It reports when it’s detected. Akamai’s team says the malware “exhibits a behavior we have never before seen with Mirai”: Its [report_kill] function alerts its command-and-control server (C2) when the infected device attempts to terminate the malware. However, the researchers said they had not yet seen a response from the C2.
“DDoS continues to be a pervasive threat to many organizations, and botnets such as Aquabot are key players in this,” Akamai security researchers Kyle Lefton and Larry Cashdollar wrote in a blog post. “The ROI of Mirai for an aspiring botnet author is high. Mirai is one of the most successful botnet families in the world, and is also one of the more simple ones to modify.”
The Mirai botnet was designed to hijack Internet of Things (IoT) devices to create remote control botnets that can launch high volume DDoS attacks. Aquabot was first discovered in November 2023 by antivirus vendor Antiy Labs.
Aquabotv3 exploits a command injection vulnerability, CVE-2024-41710, that specifically targets the Mitel 6800, 6900 and 6900w series phones. First disclosed in mid-July 2024, the vulnerability allows attackers to gain administrative privileges and tamper with input parameters to gain access to sensitive data. This can allow them to execute arbitrary system-specific commands.
“These IoT machines often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers,” Lefton and Cashdollar wrote.
They noted that, at first glance, the malware appears to be just a “standard Mirai malware binary with typical DDoS attack functions.” However, when looking closer, they discovered a function that sends a signal when it detects certain security actions in the infected device that could terminate the malware. When any are identified, Aquabotv3 catches them, flags the malware as “defended” against that signal, then reports back to its C2.
“We haven’t seen this behavior before in a Mirai variant, so perhaps it may become a new feature,” the researchers wrote.
The true reason for this behavior is not yet confirmed, but it could be a way for the author to monitor the botnet’s health. Another reason could be intentional observation of a device’s defensive activity so attackers can develop “more stealthy variants.” Or, it could also be used to detect active competing botnets or ethical takedown campaigns.
“Unique, however, is not always the most useful — this malware was not particularly quiet, which could be to its detriment,” Lefton and Cashdollar emphasized.
There is an untold number of Mirai variants — researchers have put them at anywhere from just seven to more than 200 — but cybersecurity companies are being diligent in rooting them out.
Just a week ago, for instance, Cloudflare said that it had detected the biggest DDoS ever recorded, a 5.6 terabits per second (Tbps) attack launched by a Mirai variant. It was directed at an Asian internet service provider (ISP) and originated from more than 13,000 IoT devices. It lasted only 80 seconds and was quickly identified and mitigated by Cloudflare’s autonomous systems.
“It required no human intervention, didn’t trigger any alerts, and didn’t cause any performance degradation,” Cloudflare wrote in a blog last week.
In another case, researchers from VulnCheck found that attackers have been using the Gayfemboy botnet, based on Mirai malware, since November 2024 to attack previously unknown vulnerabilities in routers and smart home devices.
Clearly, Mirai isn’t going away anytime soon, if ever, nor are DDoS attacks. In fact, Cloudflare reported a 53% increase in DDoS threats in 2024 over 2023 and a whopping 1,885% surge in attacks exceeding 1 Tbps, dubbed “hyper-volumetric” DDoS attacks, between the third and fourth quarters of 2024.
Akamai’s researchers found that Aquabotv3’s creators have been advertising the botnet as DDoS as a service through platforms including Telegram, under different names including Cursinq Firewall, The Eye Services, and The Eye Botnet.
They pointed out that threat actors commonly assert that the botnet is not harmful, and only intended for DDoS mitigation testing purposes (or red teaming). “Threat actors will claim it’s just a proof of concept (PoC) or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet,” Lefton and Cashdollar wrote.
In any case, the researchers underscored the importance of securing IoT devices that are still configured with default credentials. Because many botnets rely on common password libraries for authentication, it’s important to check login credentials and change them if they are still set to default or are easy to guess. Also, security teams should identify where known IoT devices are, and “check for rogue ones, too.”