Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022.

Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.

The IT security researchers at Palo Alto Networks’ Unit 42 have identified a new variant of the infamous Mirai malware, which was responsible for several large-scale DDoS attacks (Distributed Denial of Service attacks) on Dyn DNS in October 2016.

Dubbed V3G4 by researchers, it is a type of malware that specifically targets Internet of Things (IoT) devices. Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.

In the campaign tracked by Unit 42, one of the prime targets of the V3G4 malware has been exposed IP cameras. The malware uses the exposed servers and devices to create a powerful botnet, which can be used to launch DDoS attacks or perform other malicious activities, such as stealing data or installing additional malware.

According to Unit 42’s report, researchers observed the V3G4 malware leveraging several vulnerabilities to spread its infection from July to December of 2022. These vulnerabilities include the following:

CVE-2019-15107Webmin Command Injection Vulnerability
CVE-2012-4869FreePBX Elastix Remote Command Execution Vulnerability
CVE-2020-8515DrayTek Vigor Remote Command Execution Vulnerability
CVE-2020-15415DrayTek Vigor Remote Command Injection Vulnerability
CVE-2022-36267Airspan AirSpot Remote Command Execution Vulnerability
CVE-2022-26134Atlassian Confluence Remote Code Execution Vulnerability
CVE-2022-4257C-Data Web Management System Command Injection Vulnerability
CVE-2017-5173Geutebruck IP Cameras Remote Command Execution Vulnerability
CVE-2014-9727FRITZ!Box Webcam Remote Command Execution Vulnerability
Gitorious Remote Command Execution Vulnerability
Mitel AWC Remote Command Execution Vulnerability
Spree Commerce Arbitrary Command Execution Vulnerability
FLIR Thermal Camera Remote Command Execution Vulnerability
Source: Unit 42

Researchers also noted that within the botnet client, there is a stop list of process names that it endeavours to eliminate by cross-checking the names of currently running processes on the targeted host. These process names are associated with other botnet malware families and have previously identified different variants of Mirai.

V3G4’s stop list.

This should not come as a surprise, as there have been several Mirai variants that have surfaced over the years. Some of them included MooBotDemonbotOMG, and several others.

The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Palo Alto Networks – Unit 42

To protect against V3G4 and other IoT malware, it is important to follow best practices for securing IoT devices. This includes changing default usernames and passwords, keeping software up to date with the latest security patches, and disabling unnecessary services and protocols. Network segmentation can also help to contain the spread of malware if a device is infected.

  1. Cloudflare thwarts the largest DDoS attack
  2. EV Charging Stations at Risk of DoS Attacks
  3. Tor Network Hit By a Series of DDoS Attacks
  4. Tiny Mantis DDoS attacks powerful than Mirai
  5. New malware targeting IoT devices, Android TV

Related Posts