Summary:
A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the intention of conducting DDoS attacks. This botnet variant has been tracked by XLab since February 2024 and unlike most Mirai botnet variants, has survived months and continues to exploit 0 and N-day vulnerabilities to expand its infection scale. In early November 2024, the variant evolved further by leveraging a 0-day vulnerability in Four-Faith industrial routers and unknown vulnerabilities in Neterbit routers and Vimar smart home devices to spread its payloads. XLab findings revealed that this Mirai variant operates with over 40 grouping categories and has more than 15,000 daily active nodes. When the botnet detected XLab’s registration of its domains, it automatically with a DDoS attack. It delivers its samples utilizing more than 20 vulnerabilities and Telnet weak credentials. These vulnerabilities are listed in the HackerNews article. The primary infections are distributed across regions including China, the United States, Iran, Russia, and Turkey. The main attack targets are concentrated in regions such as China, the United States, Germany, the United Kingdom, and Singapore. When the malware is executed, it attempts to hide malicious processes and implements a Mirai-based command format to scan for vulnerable devices, update itself, and launch DDoS attacks against targets of interest.

Security Officer Comments:
This review of the Mirai botnet variant highlights its transformation from a potentially short-lived Mirai variant to its current unique large-scale botnet armed with an arsenal of 0-day exploitation capabilities. The botnet has launched intermittent attacks from February 2024 to the present, with the highest frequency of attacks reaching 200 a day and occurring during October and November of the previous year. To increase analysis difficulty and protect the program, botnet developers often encrypt strings. However, the developer behind this botnet seems to neglect string protection, as all strings are in plaintext. DDoS attacks are highly reusable and a very cost-effective method of cyberattack. The ability to conduct large-scale attacks using botnets and malicious tools has made DDoS one of the most utilized and destructive forms of cyberattack. Organizations and individuals should implement comprehensive defense strategies to mitigate the risks of DDoS attacks and enhance their overall security posture.

Suggested Corrections:
IOCs are available here.

DDoS attacks pose a significant challenge for defense because it's challenging to differentiate between legitimate and malicious packets. Typically, DDoS attacks exploit either bandwidth or application vulnerabilities.

There are several methods to counter DDoS attacks:

• Sinkholing: In this strategy, all incoming traffic is redirected to a "sinkhole" where it's discarded. However, this approach has a drawback as it eliminates both legitimate and malicious traffic, resulting in a loss of actual customers for the business.
• Routers and Firewalls: Routers can help by filtering out nonessential protocols and invalid IP addresses, but they become less effective when a botnet employs spoofed IP addresses. Firewalls face similar challenges when dealing with IP address spoofing.
• Intrusion-Detection Systems (IDS): These solutions employ machine learning to identify patterns and automatically block traffic through a firewall. While powerful, they may require manual adjustments to avoid false positives.
• DDoS Suggested Corrections Appliances: Various vendors offer devices designed to sanitize traffic through techniques like load balancing and firewall blocking. However, their effectiveness varies, as they may block legitimate traffic and allow some malicious traffic to pass through.
• Over-provisioning: Some organizations opt for extra bandwidth to manage sudden traffic spikes during DDoS attacks. Often, this additional bandwidth is outsourced to a service provider who can scale up during an attack. However, as attacks grow in scale, this mitigation approach may become less cost-effective.

These methods represent different strategies organizations employ to defend against DDoS attacks, each with its advantages and limitations.

Link(s):
https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html

https://blog.xlab.qianxin.com/gayfemboy-en/