Researchers at Unit 42 of Palo Alto Networks have spotted a new variant of the infamous Mirai botnet, which spread to Linux-based servers and IoT devices to create a massive swarm of DDoS (opens in new tab) growls.
To infect the endpoints with the new V3G4 botnet, the attackers would brute force weak or basic telnet/SSH credentials and then exploit one of 13 known vulnerabilities to remotely execute code and install the malware.
So far, between July 2022 and December 2022, the researchers have spotted three different campaigns, all of which appear to be coming from the same threat actor. The reasoning here is that the hard-coded C2 domains in all three contain the same string, the shell script downloads are similar, and the botnet clients are said to all have the same functions.
Fight against other botnets
The botnet comes with a number of interesting features, including one in which it tries to terminate processes belonging to other botnet families, among other things. So it is safe to assume that the threat actors are trying to hijack already compromised endpoints of other threat actors.
Furthermore, unlike other Mirai variants that use only one XOR encryption key, V3G4 uses four, making it more difficult for cybersecurity researchers to reverse engineer the malware.
The best way to protect against V3G4 is to make sure your Linux-powered endpoints are up-to-date and invulnerable not only to the 13 flaws exploited in these campaigns, but also to other flaws that are known to the wider cybercrime community.
In addition to patching, having a strong firewall and cybersecurity solution will help protect against attempts to deploy malware.
Linux devices, as widespread as they are, are a popular target for threat actors looking to build and expand a botnet. Everything from routers to home cameras to smart home devices can be used as bots and deployed in distributed denial of service attacks.
Via: Bleeping Computer (opens in new tab)