Cybersecurity researchers have spotted a new Mirai-inspired botnet identified as mirai_ptea that abuses an undisclosed vulnerability. The exploited flaw existed in Digital Video Recorders (DVR) manufactured by KGUARD to carry out DDoS attacks.
What's new?
Netlab 360, a Chinese cybersecurity firm, first made the revelation about the recently exploited flaw on March 23. Later, it was detected in an active exploitation attempt by the mirai_ptea botnet on June 22.
The researchers said the KGUARD DVR firmware had vulnerable code since 2017. However, nothing much has been revealed about the exploited security flaw to stop further exploitation.
Moreover, the exploited flaw allows remote execution of system commands without authentication. At least 3,000 devices are believed to be exposed online to this vulnerability.
The botnet is found to be using Tor Proxy to communicate with the C2 server and an analysis of the mirai_ptea sample disclosed extensive encryption of all sensitive resource information.
The sensitive resource information is decoded to establish a connection with the C2 server. Subsequently, it retrieves further commands for execution such as launching DDoS attacks.
Additional insights
The geographic distribution of the bot’s source IPs is mainly focused on the U.S., Brazil, and Korea. Additional infections were reported in Europe, Australia, Asia, North/South America, and parts of Africa.
Researchers are calling the new variant Mirai_ptea because it uses Tor Proxy to communicate with C2 and the TEA (Tiny Encryption Algorithm) to hide resource information.
Mirai_ptea has two sets of proxies built into it, with table entries 0x2b and 0x2a in the encrypted resource. When the bot is running, one of the two sets of proxies is randomly selected.
Conclusion
The mirai_ptea variant is a perfect example of the dangerous consequences of leaked source code. Mirai’s source code was leaked several years ago, and since then new variants are still getting spotted on a regular basis in the threat landscape. For protection, it is suggested to frequently apply security updates to device firmware.