{
	"id": "6db19f4c-8d56-4e1d-964b-7a4e058711f8",
	"created_at": "2026-04-06T00:06:26.044766Z",
	"updated_at": "2026-04-10T03:21:10.322776Z",
	"deleted_at": null,
	"sha1_hash": "1e08be4f504c295a087dd471831c161e368603fc",
	"title": "Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1206919,
	"plain_text": "Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE\r\nVulnerability\r\nBy Haozhe Zhang, Vaibhav Singhal, Zhibin Zhang, Jun Du\r\nPublished: 2021-03-17 · Archived: 2026-04-05 15:32:25 UTC\r\nExecutive Summary\r\nOn Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command\r\nExecution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data\r\nmeasurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, it\r\nwill be under control of attackers, who can then leak sensitive data or conduct further attacks, such as Distributed Denial-of-Service (DDoS) attacks. The vulnerability has a critical rating (i.e., CVSS 3.1 score of 9.8) due to its low attack complexity,\r\nbut critical security impact. The exploit captured by Unit 42 researchers utilized the vulnerability to spread Satori, a Mirai\r\nbotnet variant.\r\nPalo Alto Networks Next-Generation Firewall customers with security subscriptions such as Threat Prevention, WildFire,\r\nURL Filtering and IoT Security are able to detect and prevent the exploit traffic and the malware.\r\nVulnerability Analysis\r\nThe vulnerable devices lack a check on the htmlNtpServer parameter of /cgi-bin/timeconfig.py, allowing attackers to inject\r\ncommands via crafted HTTP requests and have them executed on victim’s devices. This vulnerability was disclosed in early\r\n2020, but the National Vulnerability Database (NVD) published it recently, not long before the exploit attempts.\r\nExploit in the Wild\r\nOn Feb. 20, 2021, Palo Alto Networks Next-Generation Firewall caught the first exploit attempt. As shown in Figure 1, the\r\nexploit attempted to download the file arm7 from the server 198[.]23[.]238[.]203 with the system command wget and then\r\nchange the access permissions of the downloaded file to ensure it can be executed with the current user privileges.\r\nFigure 1. Exploit request in the wild.\r\nThe server 198[.]23[.]238[.]203 was first noticed (serving a malicious shell script) by the security community on Feb. 17,\r\n2021, according to VirusTotal. At the time of this writing, the server is still accessible. It provides an HTTP service on port\r\n80, based on Apache2 HTTP server, that provides a malware downloading service. It also has port 5684 opened, which is\r\nbelieved to serve as the command and control (C2).\r\nAccording to our investigation, nine samples with similar functions but different platform compatibility were found on the\r\nserver. They are able to run and compromise devices across multiple mainstream architectures. Thus, these malware can be\r\neasily utilized again when the attacker changes the exploit against other target systems.\r\nThe information for all nine samples are listed in the Indicators of Compromise (IoCs) section.\r\nhttps://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/\r\nPage 1 of 4\n\nMirai Botnet Variant (Satori)\r\nBased on our in-depth investigation into the behaviors and patterns, we believe that the malware samples hosted on the\r\nserver 198[.]23[.]238[.]203 are highly likely to be a variant of the Mirai botnet, Satori.\r\nWhen executed, it prints the message “hello friend :)” to the console. Then, four child processes are spawned and detached\r\nfrom the main process.\r\nThe malware was observed to scan port 23 of random hosts (as shown in Figure 2) and tries to login with its embedded\r\npassword dictionary when port 23 is open.\r\nFigure 2. Satori port scanning.\r\nFigure 3. Passwords encrypted with XOR algorithm and key 0x07.\r\nThe passwords are encrypted using the XOR algorithm with a single byte key of 0x07, as shown in Figure 3.\r\nThe encrypted C2 traffic over SSL was also observed between the victim and 198[.]23[.]238[.]203:5684, as shown in Figure\r\n4.\r\nhttps://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/\r\nPage 2 of 4\n\nFigure 4. Traffic to C2 server.\r\nThe malware also contains multiple predefined operating system (OS) commands, as shown in Figure 5. Those commands\r\nare used to download and execute malicious payload from remote C2 servers to deploy bots on new victim devices.\r\nFigure 5. Predefined OS commands.\r\nConclusion\r\nCVE-2020-9020 is easy to exploit and can lead to RCE. After gaining control, attackers can take advantage and include the\r\ncompromised devices in their botnet. Therefore, we strongly advise to apply patches and upgrade when possible.\r\nhttps://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/\r\nPage 3 of 4\n\nPalo Alto Networks customers are protected from the vulnerability by the following products and services:\r\nNext-Generation Firewalls with a Threat Prevention security subscription can block the attacks with Best Practices\r\nvia Threat Prevention signature 90769.\r\nWildFire can stop the malware with static signature detections.\r\nURL Filtering can block malicious malware domains.\r\nIoT Security can provide coverage on legacy IoT sensors.\r\nIndicators of Compromise (IoCs)\r\n51[.]81[.]24[.]157\r\n198[.]23[.]238[.]203\r\nFilename URL SHA256\r\narm http://198[.]23[.]238[.]203/arm 0d74227dbc3bdd74a3854d81e47cf6048da2d95c3010b953de407e5989beb06\r\narm7 http://198[.]23[.]238[.]203/arm7 fe8e5e7041dfda470f9e2ad9abe9e0da3e43ddb5b24209e42ce0e3ebee1a7bfe\r\nmips http://198[.]23[.]238[.]203/mips 320d7067d60f9ed7e7f3e9408a5d3b0a6fdccddde494c0a2a4f4e77aecb80814\r\nmips http://198[.]23[.]238[.]203/mipsel fbe314dc3b284ce2db1f37478338fdba8130bf44e484f5028ca92eb9326417e4\r\npowerpc  http://198[.]23[.]238[.]203/powerpc 3c62d16451db32f72464a854d6aceb7c7ba2f07c38850f6a247a5243c0f473cb\r\nsh4 http://198[.]23[.]238[.]203/sh4 13ce782d393f2b4ce797747d12f377afad9d6e56c10f52948034a234654a9d30\r\nsparc http://198[.]23[.]238[.]203/sparc 985127ed1610cfca49f6dba273bb0783f20adf763e1d553c38e5a0f9f89328c3\r\nm68k http://198[.]23[.]238[.]203/m68k e458dca7ddceae3412e815e5c70e365f6cc918be2d512e69b5746ed885e80268\r\nx86_64  http://198[.]23[.]238[.]203/x86_64 989e49f9aaff3645c40a2c40b8959e28e4ff0a645e169bb81907055a34f84dfb\r\nx86_32 http://198[.]23[.]238[.]203/x86_32 22818ae75823ee5807d5d220500eb9d5829927d57e10ce87312d1c22843fb40\r\nSource: https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/\r\nhttps://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/"
	],
	"report_names": [
		"satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability"
	],
	"threat_actors": [],
	"ts_created_at": 1775433986,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e08be4f504c295a087dd471831c161e368603fc.pdf",
		"text": "https://archive.orkl.eu/1e08be4f504c295a087dd471831c161e368603fc.txt",
		"img": "https://archive.orkl.eu/1e08be4f504c295a087dd471831c161e368603fc.jpg"
	}
}