Palo Alto Networks Unit 42 researchers have discovered a new variant of the infamous Mirai botnet that is spreading to Linux servers and IoT devices to create a massive swarm of DDoS attacks (opens in a new tab) grunts.
To infect endpoints with the new V3G4 botnet, attackers used weak or default telnet/SSH credentials and then exploited one of 13 known vulnerabilities to remotely execute code and install malware.
So far, between July 2022 and December 2022, researchers have detected three different campaigns, all of which appear to be from the same cybercriminal. The reason is that the hard-coded C2 domains contain the same string in all three, shell script downloads are similar, and botnet clients reportedly have similar features.
Fighting other botnets
The botnet has many interesting features, including one where it tries to terminate, among other things, processes belonging to other botnet families. Thus, it is safe to assume that cybercriminals are trying to hijack already infected endpoints from other groups.
Moreover, unlike other Mirai variants that only use one XOR encryption key, V3G4 uses four, making it harder for cybersecurity researchers to replicate the malware.
The best way to protect against V3G4 is to make sure your Linux endpoints are up to date and immune to not only the 13 vulnerabilities used in these campaigns, but also any other vulnerabilities known to the wider cybercrime community.
In addition to patching, having a strong firewall as well as a cybersecurity solution will help defend against any malware deployment attempts.
Linux devices, while so widespread, are a popular target for cybercriminals looking to create and extend a botnet. Everything from routers to home cameras to smart home devices can be used as bots and deployed in distributed denial-of-service attacks.
By: Beeping Computer (opens in a new tab)