Unit 42 of the Palo Alto Networks Threat Research Team used Mirai variants, malware that turns network-connected devices running Linux (usually small IoT devices) into remotely controlled bots, to target IoT devices. We discovered new malicious activity targeting Massive network attack.
This variant, called IZ1H9, was first discovered in August 2018 and has been one of the most active Mirai variants since then.
On April 10th, Unit 42 researchers observed a wave of malicious campaigns using IZ1H9 since November 2021, all deployed by the same actor. They released his malware analysis on May 25th.
Read more: ‘Hinata’ botnet could launch massive DDoS attack
IZ1H9 initially spreads through HTTP, SSH, and Telnet protocols.
When installed on an IoT device, the IZ1H9 botnet client first checks the network portion of the infected device’s IP address, similar to the original Mirai. Clients avoid running against a list of IP blocks, including government networks, internet providers, and big tech companies.
It then visualizes its existence by printing the word “darknet” to the console.
“This malware also includes functionality to ensure that only one instance of this malware is running on the device. If a botnet process already exists, the botnet client will terminate the current process. , will start a new process,” explained Unit 42 in its analysis.
The botnet client also contains a list of process names belonging to other Mirai variants and other botnet malware families. The malware checks the running process name on the infected host and terminates the process.
The IZ1H9 variant attempts to connect to a hardcoded C2 address of 193.47.61.[.]75.
When connected, IZ1H9 initializes the encrypted string table and retrieves the encrypted string through the index.
Use table key 0xBAADF00D during the string decryption process. For each encrypted character, the malware performs her XOR decryption using cipher_char^0xBA^0xAD^0xF0^0x0D = plain_char byte-by-byte operations.
According to the logic behind the XOR operation, the configuration string key equals 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = 0xEA.
“While the vulnerability exploited by this threat is not overly complex, it still has the potential for remote code execution, which does not mitigate the impact. A device compromised by a and updates are highly recommended,” concluded the Unit 42 researchers.
