With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit

by Augusto Remillano II and Mark Vicente (Threats Analysts)

The exploitation of vulnerabilities in smart devices has been a persistent problem for many internet of things (IoT) users. Perhaps the most infamous IoT threat is the constantly evolving Mirai malware, which has been used in many past campaigns that compromised devices with default or weak credentials. Different Mirai variants and derivatives have cropped up since its source code was leaked in 2016.

We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP. The exploit related to the vulnerability is relatively new — details about it have only surfaced on December 11. For its arrival method, the IoT botnet uses the said exploit that affects ThinkPHP versions prior to 5.0.23 and 5.1.31. Interestingly, our Smart Protection Network also showed a recent increase on events related to the ThinkPHP RCE. We expect malicious actors to abuse the ThinkPHP exploit for their respective gains.

Aside from Miori, several known Mirai variants like IZ1H9 and APEP were also spotted using the same RCE exploit for their arrival method. The aforementioned variants all use factory default credentials via Telnet to brute force their way in and spread to other devices. Once any of these Mirai variants infects a Linux machine, it will become part of a botnet that facilitates distributed denial-of-service (DDoS) attacks.

Looking into the Mirai Variant, Miori

Miori is just one of the many Mirai offshoots. Fortinet once described its striking resemblance to another variant called Shinoa. Our own analysis revealed that the cybercriminals behind Miori used the Thinkpad RCE to make vulnerable machines download and execute their malware from hxxp://144[.]202[.]49[.]126/php:

Figure 1. RCE downloads and executes Miori malware

Upon execution, Miori malware will generate this in the console:

Figure 2. Miori infects device

It will start Telnet to brute force other IP addresses. It also listens on port 42352 (TCP/UDP) for commands from its C&C server. It then sends the command “/bin/busybox MIORI” to verify infection of targeted system.

Figure 3. Miori sends command

We were able to decrypt Miori malware’s configuration table embedded in its binary and found the following notable strings. We also listed the usernames and passwords used by the malware, some of which are default and easy-to-guess.

Mirai variant: Miori
XOR key: 0x62

Table 1. Related Miori credentials and strings

A closer look also uncovered two URLs used by two other variants of Mirai: IZ1H9 and APEP. We then looked into the binaries (x86 versions) located in the two URLs. Both variants use the same string deobfuscation technique as Mirai and Miori, and we were likewise able to decrypt their configuration table.

hxxp://94[.]177[.]226[.]227/bins/
Mirai variant: IZ1H9
XOR key: 0xE0

Table 2. Related IZ1H9 credentials and strings

hxxp://cnc[.]arm7plz[.]xyz/bins/
Mirai variant: APEP
XOR key: 0x04

Table 3. Related APEP credentials, C&C servers, and strings

It should be noted that aside from brute-force via Telnet, APEP also spreads by taking advantage of CVE-2017-17215, which involves another RCE vulnerability and affects Huawei HG532 router devices, for its attacks. The vulnerability was also reported to be involved in Satori and Brickerbot variants. Huawei has since released a security notice and outlined measures to circumvent possible exploitation.

Figure 4. Exploit related to CVE-2017-17215

Conclusion and Recommendations

Telnet default password logins and brute force attempts to connected devices aren’t new. Factory default passwords, which many users may ignore or forget to change, are commonly used to access vulnerable devices. Mirai has since spawned other botnets that use default credentials and vulnerabilities in their attacks. Users are advised to change the default settings and credentials of their devices to deter hackers from hijacking them. As a general rule, smart device users should regularly update their devices to the latest versions. This will address vulnerabilities that serve as potential entry points for threats and will also improve the functionality of the devices. Finally, enable the auto-update feature if the device allows it.

Users can also adopt IoT security solutions that are designed to combat these kinds of threats. Trend Micro Smart Home Network protects users from this threat via this intrusion prevention rule:

• 1135215 WEB ThinkPHP Remote Code Execution

Indicators of Compromise (IoCs)

Related malicious URLs:

hxxp://144[.]202[.]49[.]126/miori[.]mips
hxxp://144[.]202[.]49[.]126/miori[.]mpsl
hxxp://144[.]202[.]49[.]126/miori[.]arm
hxxp://144[.]202[.]49[.]126/miori[.]arm5
hxxp://144[.]202[.]49[.]126/miori[.]arm6
hxxp://144[.]202[.]49[.]126/miori[.]arm7
hxxp://144[.]202[.]49[.]126/miori[.]sh4
hxxp://144[.]202[.]49[.]126/miori[.]ppc
hxxp://144[.]202[.]49[.]126/miori[.]x86
hxxp://144[.]202[.]49[.]126/miori[.]arc
hxxp://144[.]202[.]49[.]126/php
hxxp://94[.]177[.]226[.]227/bins/
hxxp://cnc[.]arm7plz[.]xyz/bins/
hxxp://scan[.]arm7plz[.]xyz

The post With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit appeared first on .

Read more: With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit