{
	"id": "3cfc0bee-9d19-424a-9a5c-0f1a73633e0e",
	"created_at": "2026-04-06T00:14:50.880694Z",
	"updated_at": "2026-04-10T13:12:51.316042Z",
	"deleted_at": null,
	"sha1_hash": "3015284d90faa332674c8775feb1cbcc69ca0467",
	"title": "Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 291817,
	"plain_text": "Mirai Variant ECHOBOT Resurfaces with 13 Previously\r\nUnexploited Vulnerabilities\r\nBy Ruchna Nigam\r\nPublished: 2019-12-13 · Archived: 2026-04-05 16:56:38 UTC\r\nExecutive Summary\r\nSince the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from\r\ntime to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a\r\nmeans to increase its attack surface with each evolution.\r\nUnlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with\r\nthe latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until\r\nnow, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as\r\nrecently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers\r\ncould potentially be aiming for the sweet spots of IoT vulnerabilities, targeting either legacy devices that are still\r\nin use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for\r\nowners to have patched.\r\nThe newly incorporated exploits target a range of devices from the usually expected routers, firewalls, IP cameras\r\nand server management utilities, to more rarely seen targets like a PLC, an online payment system and even a\r\nyacht control web application.\r\nThis version first surfaced on October 28th, 2019 for a couple of hours, after which it was taken down. It then\r\nresurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the\r\nsamples from October. While details on this version were recently published, this post shares CVE numbers\r\n(where available) for the vulnerabilities targeted, as well as IOCs for this version I have been tracking since\r\nOctober.\r\nThe following section also explains the discrepancy in the exploit count used here in comparison to other\r\npublications.\r\nExploits\r\nThis latest variant contains a total of 71 unique exploits, 13 of these vulnerabilities haven’t been previously seen\r\nexploited in the wild prior to this version. Exploits targeting the same vulnerability in different devices (potentially\r\nsharing firmware) or targeting different ports have been grouped together.\r\nThe exploits that are new to this version, and any previously seen Mirai variant for that matter, are listed in Table\r\n1 below:\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nPage 1 of 6\n\nTable 1 Previously unexploited vulnerabilities in latest ECHOBOT version\r\nOther exploits included in this version are listed in the Appendix.\r\nOther Technical Details\r\nLike its predecessors, this version of ECHOBOT also makes use of the key 0xDFDAACFD for XOR encryption\r\nof its strings.\r\nThe new default credentials brute forced by this variant are listed below :\r\nroot/trendimsa1.0\r\nadmin/fritzfonbox\r\nr00t/boza\r\nroot/welc0me\r\nadmin/welc0me\r\nroot/bagabu\r\nwelc0me/\r\nunknown/\r\nUNKNOWN/\r\nInfrastructure\r\nThis version first surfaced on 28th October 2019 for a couple of hours, after which it was taken down. It then\r\nresurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the\r\nsamples from October. Figure 1 shows the dropper script that was live at the IP 145.249.106[.]241 until the 12th of\r\nDecember.\r\nFigure 1. Dropper script\r\nPrior to this, samples of this version were briefly hosted at :\r\n45.89.106[.]108 on 2019-10-28\r\n80.82.67[.]184 on 2019-12-03\r\n80.82.67[.]209 on 2019-12-04\r\n145.249.106[.]241 on and after 2019-11-12\r\nIt makes use of the same domains for Command and Control as its predecessors.\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nPage 2 of 6\n\nIOCs for all activity mentioned in this post can be found at the Unit42 github.\r\nConclusion\r\nThe Mirai variant ECHOBOT differentiates itself from concurrent variants by the sheer volume of vulnerabilities\r\ntargeted, as opposed to other variants that stick to certain vulnerabilities that have proven effective over time.\r\nThe exploits unique to this new version target vulnerabilities ranging from extremely old CVEs from as long back\r\nas 2003, to ones made public as recently as early December 2019. This choice of exploits could possibly imply its\r\nauthors are targeting either legacy devices that are still in use but probably too old to update due to compatibility\r\nissues and newer vulnerabilities that are too recent for owners to have patched. We are unable to speculate at this\r\npoint in time on the overall effectiveness of their approach - be it the use of a large number of exploits, or the\r\nchoice of the exploits themselves.\r\nPalo Alto Networks customers are protected by:\r\nWildFire which detects all related samples with malicious verdicts\r\nThreat Prevention and PANDB that block all exploits and IPs/URLs used by this variant.\r\nAutoFocus customers can track these activities using individual exploit tags:\r\nCVE-2019-17270\r\nCVE-2019-18396\r\nAVCON6RCE\r\nCVE-2019-16072\r\nCVE-2019-14931\r\nSar2HTMLRCE\r\nCVE-2017-16602\r\nCVE-2017-6316\r\nCVE-2013-5912\r\nACTiASOC2200RCE\r\n3ComOfficeConnectRCE\r\nCVE-2006-4000\r\nCCBillRCE\r\nThe malware family can be tracked in AutoFocus using the tag Mirai\r\nAppendix\r\nOther exploits embedded in this ECHOBOT version are listed below:\r\nVulnerability\r\nFunction name in unstripped\r\nbinaries\r\nPort(s)\r\nScanned\r\nCVE-2019-15107 webmin_init 10000\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nPage 3 of 6\n\nCVE-2014-8361\r\nrealtekscan,\r\ndlinkscan\r\n52869,\r\n49152\r\nFritzBox Command Injection fritzboxscan 80\r\nCVE-2019-12989, CVE-2019-12991 citrix_init 80\r\nXfinity Gateway Remote Code Execution xfinityscan 80\r\nBeward N100 Remote Code Execution bewardscan 80\r\nFLIR Thermal Camera Command Injection thermalscan 80\r\nEyeLock nano NXT Remote Code Execution nxtscan 11000\r\nIrisAccess ICU Cross-Site Scripting irisscan 80\r\nEnGenius Remote Code Execution cloudscan 9000\r\nSapido RB-1732 Remote Command Execution sapidoscan 80\r\nCVE-2016-0752 railsscan 3000\r\nCVE-2014-3914 rocketscan 8888\r\nCVE-2015-4051 beckhoffscan 5120\r\nCVE-2015-2208 phpmoadmin 80\r\nCVE-2018-7297 homematicscan 2001\r\nSpreeCommerce Remote Code Execution spreecommercescan 80\r\nRedmine Remote Code Execution redminescan 80\r\nCVE-2003-0050 quicktimescan 1220\r\nCVE-2011-3587 plonescan 80\r\nCVE-2005-2773 openviewscan 2447\r\nOp5Monitor Remote Code Execution op5v7scan 443\r\nCVE-2012-0262 op5scan 443\r\nCVE-2009-2288 nagiosscan 12489\r\nMitelAWC Remote Code Execution mitelscan 80\r\nGitorious Remote Code Execution gitoriousscan 9418\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nPage 4 of 6\n\nCVE-2012-4869 freepbxscan 5060\r\nCVE-2011-5010 ctekscan 52869\r\nDogfoodCRM_Remote Code Execution crmscan 8000\r\nCVE-2005-2848 barracudascan 80\r\nCVE-2006-2237 awstatsmigratescan 80\r\nCVE-2005-0116 awstatsconfigdirscan 80\r\nCVE-2008-3922 awstatstotalsscan 80\r\nCVE-2007-3010 telscan 80\r\nASUSModemRCEs (CVE-2013-5948, CVE-2018-\r\n15887)\r\nasuswrtscan,\r\nasusscan\r\n80\r\nCVE-2009-0545 zeroshellscan 80\r\nCVE-2013-5758 yealinkscan 52869\r\nCVE-2016-10760 seowonintechscan 80\r\nCVE-2009-5157 linksysscan 80\r\nCVE-2009-2765 ddwrtscan 80\r\nCVE-2010-5330 airosscan 80\r\nCVE-2009-5156 asmaxscan 80\r\nGoAheadRCE wificamscan 80\r\nCVE-2017-5174 geutebruckscan 80\r\nCVE-2018-6961 vmwarescan 80\r\nCVE-2018-11510 admscan 8001\r\nOpenDreamBox_RCE\r\ndreamboxscan/\r\ndreambox8889scan,\r\ndreambox8880scan,\r\ndreambox10000scan\r\n10000,\r\n8889,\r\n8880,\r\n10000\r\nWePresentCmdInjection wepresentscan 80\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nPage 5 of 6\n\nCVE-2018-17173 supersignscan 9080\r\nCVE-2019-2725 oraclescan 1234\r\nNetgearReadyNAS_RCE\r\nnuuoscan,\r\nnetgearscan\r\n50000,\r\n80\r\nCVE-2018-20841 hootooscan 6666\r\nDellKACE_SysMgmtApp_RCE dellscan 80\r\nCVE-2018-7841 umotionscan 80\r\nCVE-2016-6255 veralite_init 49451\r\nCVE-2019-3929 Blackboxscan 80\r\nCVE-2019-12780 belkin_init 49152\r\nSource: https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/"
	],
	"report_names": [
		"mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434490,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3015284d90faa332674c8775feb1cbcc69ca0467.pdf",
		"text": "https://archive.orkl.eu/3015284d90faa332674c8775feb1cbcc69ca0467.txt",
		"img": "https://archive.orkl.eu/3015284d90faa332674c8775feb1cbcc69ca0467.jpg"
	}
}