You are currently viewing Malware de Botnet Miori contiene código de exploración dirigido a vulnerabilidad existente en dispositivos F5 Big-IP

Miori Botnet Malware Contains Scan Code Targeting Existing Vulnerability in F5 Big-IP Devices

An increase in Miori Botnet samples is observed, targeting F5 Big-IP Devices (CVE-2022-1388) – TTP Instance – Search Packet – YARA Rule – TTP Validated.

On May 12, 2022, threat hunter @0xrb stated that he observed a malware sample from Botnet Miori that contained scan code targeting CVE-2022-1388, a vulnerability existing in F5 Big-IP devices, the malware The Miori botnet has been linked to attacks exploiting the ThinkPHP framework bug in 2018. According to open source reports, this botnet shares code with Mirai. A 2019 variant of Miori and implemented a protection mechanism that would terminate C2 connections, if a specific string is not provided.

Recientemente se enviaron dos muestras de Miori a MalwareBazaar (SHA256: 2684c02ad85a92e0563c09b6ca3645b095e0138270d552509c2bdffbdddf2d2f y SHA256: 209f58253fd2db0dedfa6b6d7b1bcec092fd2713fa87be3de91ac273fa8c3de91ac271e87c3de91ac).

An analysis of these samples returned medium detection rates in VirusTotal, while Intezer Analyze identified the samples as Mirai. Sandbox analysis detected the samples as Mirai via an activated YARA rule or detected the samples as "clean" when running in a Linux environment. Both samples attempted to connect to at least 100 other IP addresses and were observed using the "uname" system call to query kernel data, possibly in an attempt to perform a defense evasion.

While creating a YARA rule to detect Miori, an investigation discovered a hardcoded IP address: 2.56.56[.]162. A lookback performed with the attached rule returned 152 unique samples (including those used to create the YARA rule) and found that all samples included a hardcoded IP address.

Two IP addresses were identified in almost all the returned samples: 2.56.56[.]162 and 195.58.38[.]253. Additionally, all but 6 samples were found to have been submitted to the malware repository after April 2022, with 5 of the remaining 6 being submitted in 2019 (about the last time Miori was reportedly observed in the malware repository). nature).

This recent increase in Miori submissions to malware repositories suggests that a new Miori botnet campaign is currently underway. These samples were written to operate with almost 10 different architectures, some of which indicate that the sample is intended for IoT devices based on their architecture (ie MIPS and Motorola architectures).

Share this note on:


© 2021 by DEFENSIONE. Cybersecurity | Defense and Response. Developed by BALUTEK.