Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mirai's new variant "Mukashi" attacks network-attached devices

    • Updated:
    • 17 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 5.0
    • Deep Discovery Inspector 5.7
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

Mirai is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS). Mirai was named after the 2011 TV anime series Mirai Nikki. The source code for Mirai was published on Hack Forums as open-source. Since the source code was published, the techniques have been adapted in other malware projects.

The new Mirai variant named Mukashi is attacking network-attached storage (NAS) devices. Mukashi takes advantage of a vulnerability, CVE-2020-9054, found in Zyxel NAS devices which allows remote attackers to execute malicious codes into the affected system. It uses brute force attacks through default credentials to log into Zyxel NAS products. When logged in successfully, the attackers can now take control of the devices and add them to a botnet that can be used to perform distributed denial of service (DDoS) attacks. Mukashi retains the ability of communicating to a command-and-control server.

This Backdoor gathers the following information and sends it to its servers:

  • User/device information (IP address, port, username, password)

Behaviour

  • Brute Force
  • Communicates to a command-and-control server

Capabilities

  • Exploits
  • Information Theft
  • Backdoor commands

Impact

  • Exploits - takes advantage of a software vulnerability or security flaw and can be used to remotely access a network and gain elevated privileges or move deeper into the network
  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Violation of user privacy - gathers user credentials and steals user information

Additional Threat Reference Information

Infection Chain

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
It takes advantage of vulnerability CVE-2020-9054Initial AccessT1190 Exploit Public-Facing Application
Brute force attack through the use of default credentialsPersistence, Privilege Escalation, Initial AccessT1078 Valid Accounts
Report/send vulnerability result of victim’s device (IP address, port, login credential)ExfiltrationT1041 Exfiltration Over Command and Control Channel
Loads malware and components on Zyxel NAS device running firmware version 5.21Command And Control, Lateral MovementT1105 Remote File Copy
Execute script to download and run payloadDefense Evasion, ExecutionT1064 Scripting
Scan TCP port of random IP address or hostDiscoveryT1046 Network Service Scanning
Identify IoT devicesDiscoveryT1049 System Network Connections Discovery
Adversaries may perform DDoS attackImpactT1498 Network Denial of Service
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionN/A---
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.793.00April 9, 2020Detection similar to VSAPI
Predictive Machine LearningN/A---
File detection (VSAPI)YesENT OPR 15.791.00April 8, 2020Backdoor.Linux.MIRAI.VWISF
Backdoor.Linux.MIRAI.VWISG
Backdoor.Linux.MIRAI.VWISK
Backdoor.Linux.MIRAI.VWISE
Backdoor.Linux.MIRAI.VWISM
Backdoor.Linux.MIRAI.VWISN
Backdoor.Linux.MIRAI.VWISH
Backdoor.Linux.MIRAI.VWISI
Backdoor.Linux.MIRAI.VWISL
IoT.Linux.MIRAI.VWISF
Trojan.SH.MIRAI.BOE
Network PatternYesRule 4362NCIP 1.14087.00
NCCP 1.14013.00
March 10, 2020Rule 4362CVE-2020-9054 - ZYXEL NAS - HTTP (REQUEST)
Rule 2839NCIP 1.13651.00
NCCP 1.13611.00
Rule 2839ZTE F460 F660 - Remote Code Execution - HTTP (Request)
Rule 2544NCIP 1.14043.00
NCCP 1.13069.00
Rule 2544JAWS Remote Code Execution Exploit - HTTP (Request)
Behavioral Monitoring (AEGIS)YesTMTD OPR 2105
TMDT OPR 2107
April 9, 2020-
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283375
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.