Cyberium Domain Targets Tenda Routers in Botnet CampaignAT&T Alien Labs: Hackers Used Mirai Variant MooBot
Malware hosting domain Cyberium has spread Mirai variants, including one that targeted vulnerable Tenda routers, as part of a botnet campaign, AT&T Alien Labs reports.
Since March, AT&T Alien Labs, which offers an open threat intelligence community, has detected a spike in active exploitation attempts on Tenda routers by MooBot, a Mirai variant that has been active since 2019. The latest campaign is targeting Tenda users by exploiting users who have not patched a remote code vulnerability in the router, tracked as CVE-2020-10987.
"At the end of March, AT&T Alien Labs observed a spike in exploitation attempts for Tenda Remote Code Execution vulnerability," says Fernando Martinez, a security researcher at AT&T Alien Labs team. "This spike was observed throughout a significant number of clients, in the space of a few hours. This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November."
The Tenda router scanning activities only lasted a day, according AT&T Alien Labs. The malicious botnet traffic originated from a single Cyberium malware hosting domain, researchers say.
The first request to victims’ machines from this hosting page was to download a malicious script, which then downloaded a later stage of malware. This script then downloaded a list of filenames associated with different CPU architectures, executed them and finally deleted them, AT&T Alien Labs reports.
The researchers concluded that the malicious payload was MooBot based on the similarities of the downloader file seen in other Mirai variants. But this variant has different features than other versions.
"The samples obtained from MooBot were encrypted, attempting to evade string-based detection, static analysis of the exploits used, or after compromised activities," Martinez says. "However, it did maintain other previously seen characteristics, such as a hardcoded list of IP addresses to avoid, including private ranges, the Department of Defense, IANA IPs, GE, HP and others."
MooBot, which began its operations by targeting vulnerable Dockers APIs for DDoS botnet attacks, has been tied to several campaigns.
In July 2020, security firm Net Labs found the malware was exploiting a zero-day in Unix CCTV as part of a DDoS campaign.
That same month, Net Labs also uncovered a different MooBot variant that spread through weak Telnet passwords and some zero-day vulnerabilities.
Although the scanning activities for Tenda routers lasted only for a day, the same domain was used to scan for other vulnerable ports for several days, the report notes.
Those scans targeted vulnerable Huawei home routers, Axis SSI, and DVR scanners. These campaigns delivered different Mirai variants, including Satori, which used the same tactics as MooBot to infect victims' devices, the researchers note.
"Additional samples were identified under the same domain, which on first investigation appeared to be a mix between the already mentioned MooBot and Satori samples with a random combination of their characteristics," they say. "Most of them looked like MooBot samples without the encoding or Satori without the hardcoded domain."
To help prevent botnet attacks, AT&T recommends keeping IoT devices updated and patching CVEs, monitoring network traffic for known incoming exploits, monitoring traffic for Cyberium or ripper domains and regularly performing process auditing and accounting to look for malicious process names used by botnets to disguise themselves.