A new variant of Mirai has been abusing a command injection vulnerability tracked as CVE-2021-32305. This flaw exists in an open-source web application, dubbed WebSVN, used for source code browsing.
Making the headlines
Just after the vulnerability was made public, researchers observed it being exploited in the wild.
Researchers have disclosed that the malware shares some of its code with Mirai and was being used for launching DDoS attacks.
Eight types of attacks can be used against different targets (such as OVH or TCP protocol).
While exploiting the WebSVN vulnerability, hackers may not get some details of the target environment, such as operating system and processor architecture. However, the shell script used in the further step of the attack overcomes this issue.
How it works
Although WebSVN is a PHP application that supports cross-platform and runs on several OS, only Linux binaries are being used in the current attacks.
The malware has malicious Linux binaries for 12 different architectures.
Rather than identifying which one is correct for the target environment, it attempts brute force technique to run the binaries.
To limit the size of the executable files, each one is compressed with a modified version of UPX. Moreover, the packer is modified and recurs more effort to examine.
Additionally, the malware archives portability by statically connecting all of its dependencies and making system calls inside the code. It tries to connect to its C2 server on port 666.
Just a month ago, another Mirai variant was exploiting a total of nine vulnerabilities.
Conclusion
The exploitation of the WebSVN flaw shows that attackers are currently focusing on Linux-based systems. Therefore, security professionals and organizations are strongly recommended to have a robust patch management process to secure their infrastructure from such threats.