Search This Blog

Malware Alert: Mirai Alias Miori Is Being Dispensed Via RCE Exploits




To add on to the latest list of raging malware, the cyber-cons decided on changing names of some older ones.

Malware Mirai, is now being dispensed by the name of Miori, by way of malicious remote code execution exploits.


The Mirai Malware has a really solid history of wreaking havoc by executing DDOS (Distributed Denial of Service) attacks on various platforms among IoT devices.


The botnet in question has previously executed some truly jeopardizing DDOS attacks and has been the culprit for computer fraud and abuse.


The malware would need to function equally well on different architectures in order to run on cross-platforms.


Now, Miori can easily exploit internet connected devices by abusing their vulnerabilities. The smart devices are always on the radar for this malware.


The above-mentioned malware is being dispensed through Remote Code Execution vulnerability in the PHP structure of the name ThinkPHP. The exploit especially has targeted, versions previous to 5.0.23 and 5.1.31.


 The security researchers who are on to the malware, have alluded that the rate of infection is increasing in the case of ThinkPHP RCE in smart devices.


Numerous other Mirai malware which exploit the ThinkPHP RCE vulnerability are also being dispensed.


Researchers also confirmed that a Linux device was made to perform the DDOS attack because of the infection dispensed via other connected devices as the default credentials got reset through a telnet.


Reportedly, Miori is merely a subdivision which the cyber-cons use to fabricate vulnerable devices via Thinkpad RCE.


The malware variant could be downloaded from the following command and control server. Hxxp://144[.]202[.]49[.]126/php


Once the malware is executed a console gets generated which switches the Telnet on, to brute force other IP addresses.


On the port 42352 (TCP/UDP) the C&C server keeps a check to receive further commands.


The configuration table, of the Miori malware was de-crypted by researchers, which was instated in its binary strings.


The username passwords and other credentials which were used by the malware were also found out by the researchers as they were fairly easy to speculate.


A scrutinized look resulted in the discovery of two URLs that were employed by the two variants of Mirai, namely APEP and IZIH9. Both were employing the same string  anti-obfuscation procedure as Miarai and Miori.


APEP also spreads by exploiting CVE-2017-17215 which encompasses of one other RCE vulnerability which can seriously affect router devices.

Share it:

malware

PHP

Remote Code Execution