{
	"id": "68ce1f55-8aef-4111-b853-d018551619cd",
	"created_at": "2026-04-06T00:21:07.572154Z",
	"updated_at": "2026-04-10T03:20:45.827408Z",
	"deleted_at": null,
	"sha1_hash": "64a771927e2cd0a7b5d886cbb3c2ae0cc4252131",
	"title": "New Mirai Variant Expands, Exploits CVE-2020-1017",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62504,
	"plain_text": "New Mirai Variant Expands, Exploits CVE-2020-1017\r\nBy Augusto Remillano II, Jemimah Molina ( words)\r\nPublished: 2020-07-08 · Archived: 2026-04-05 22:07:57 UTC\r\nWe discovered a new Mirai variant (detected as  IoT.Linux.MIRAI.VWISIopen on a new tab) that exploits nine\r\nvulnerabilities, most notable of which is CVE-2020-10173 in Comtrend VR-3033 routers which we have not\r\nobserved exploited by past Mirai variants.\r\nThis discovery is a new addition to the Mirai variants that appeared in the past few months, that include SORA,\r\nUNSTABLE,open on a new tab and Mukashiopen on a new tab. The case, however, showcases the ever-expanding arsenal of vulnerabilities new Mirai variants are equipped with by their developers.\r\nThe vulnerabilities\r\nThe vulnerabilities used by this Mirai variant consist of a combination of old and new that help cast a wide net\r\nencompassing different types of connected devices. The nine vulnerabilities used in this campaign affect specific\r\nversions of IP cameras, smart TVs, and routers, among others.\r\nAs mentioned earlier, the most notable of these vulnerabilities is CVE-2020-10173, a Multiple Authenticated\r\nCommand injection vulnerability found in Comtrend VR-3033 routers. Remote malicious attackers can use this\r\nvulnerability to compromise the network managed by the router.\r\nOnly a proof of concept (POC) has been released for this vulnerabilityopen on a new tab, with no reported exploit\r\nat large before this Mirai variant. Figure 1 serves as evidence of how this vulnerability is used by the sample.\r\nintel\r\nFigure 1. Code snippet that shows the use of CVE-2020-10173\r\nAnother relatively recent vulnerability also used in this campaign is Netlink GPON Router 1.0.11 RCEopen on a\r\nnew tab. Discovered this year, it was reportedly exploited by the Bashlite/Gafgyt variant Hoaxcallsopen on a new\r\ntab.\r\nintel\r\nFigure 2. Code snippet that shows the use of Netlink GPON Router 1.0.11 RCE\r\nAside from the two, the variant makes use of mostly old vulnerabilities which have been used in past campaigns.\r\nThe two code snippets shown in figures 3 and 4 serve as examples of old vulnerabilities written in the variant’s\r\ncode.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/\r\nPage 1 of 4\n\nFigure 3. Code snippet that shows the use of LG SuperSign EZ CMS 2.5 - Remote Code Executionopen on a new\r\ntab\r\nintel\r\nFigure 4. Code snippet that shows the use of Linksys E-series - Remote Code Executionopen on a new tab\r\nIn addition to these examples, the remaining five old vulnerabilities that were exploited by the variant are the\r\nfollowing:\r\nAVTECH IP Camera / NVR / DVR Devices - Multiple Vulnerabilitiesopen on a new tab\r\nD-Link Devices - UPnP SOAP Command Executionopen on a new tab\r\nMVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Executionopen on a new tab\r\nSymantec Web Gateway 5.0.2.8 Remote Code Executionopen on a new tab\r\nThinkPHP 5.0.23/5.1.31 - Remote Code Executionopen on a new tab\r\nBrute-force capabilities\r\nA hallmark of Mirai variants is the use of Telnet and Secure Shell (SSH) brute-forcing as evidenced by our\r\nsample. This variant also used the typical XOR encryption (with the XOR key: 0x04) to hide the credentials that it\r\nuses to attack vulnerable devices. The credentials we extracted are listed here.\r\nExtracted credentials\r\n0 GM8182 ROOT500\r\n1001chin grouter solokey\r\n1111 guest svgodie\r\n1234 h3c swsbzkgn\r\n12345 hg2x0 system\r\n123456 hi3518 t0talc0ntr0l4!\r\n20080826 huigu309 taZz@23495859\r\n54321 hunt5759 telecomadmin\r\n5up iDirect telnet\r\n666666 ipcam_rt5350 telnetadmin\r\n88888888 iwkb tl789\r\nabc123 juantech tsgoingon\r\nadmin jvbzd twe8ehome\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/\r\nPage 2 of 4\n\nahetzip8 klv123 user\r\nanko nflection vizxv\r\nantslq nmgx_wapia win1dows\r\nascend oelinux123 xc3511\r\nblender pass xmhdipc\r\ncat1029 password zhongxing\r\nchangeme private zlxx.\r\ndefault realtek zsun1188\r\ndreambox root Zte521\r\nConclusion and security recommendations\r\nThe use of CVE-2020-10173 in this variant’s code shows how botnet developers continue to expand their arsenal\r\nto infect as many targets as possible and take advantage of the opening afforded by unpatched devices. Newly\r\ndiscovered vulnerabilities, in particular, offer better chances for cybercriminals. Users, not knowing that a\r\nvulnerability even exists, might be unable to patch the device before it is too late.\r\nIn the future, it would be wise to expect this vulnerability might be used in new DDoS botnets like Mirai. As\r\nmonitoring of such botnets show, handlers tend to copy each other’s techniques, including lists of vulnerabilities\r\nand credentials that increase their chance of success.\r\nFor devices to remain safe from the usual tactics of botnet malware, users need to follow best practices in securing\r\ntheir connected devices. These include the following:\r\nPatch vulnerabilities and apply updates as soon as they become available.\r\nUse network segmentation to limit the spread of potential infections.\r\nUse strong passwords and quickly change default ones.\r\nApply secure configurations for devices to limit unforeseen openings for infection.\r\nConnected devices can also be protected by security software such as the Trend Micro™ Home Network\r\nSecurityopen on a new tab and Trend Micro™ Home Network Security SDKopen on a new tab solutions, which\r\ncan check internet traffic between the router and all connected devices as well as help users asses for\r\nvulnerabilities.\r\nTrend Micro™ Deep Discovery™ Inspectorproducts also protects customers from this attack via these DDI rules:\r\n2452 - Wget Commandline Injection\r\n2544 - JAWS Remote Code Execution Exploit - HTTP (Request)\r\n2575 - Command Injection via UPnP SOAP Interface - HTTP (Request)\r\n2692 - LINKSYS Unauthenticated Remote Code Execution Exploit - HTTP (Request)\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/\r\nPage 3 of 4\n\n2713 - AVTECH Command Injection Exploit - HTTP (Request)\r\n2786 - ThinkPHP 5x Remote Code Execution - HTTP (Request)\r\n2865 - CVE-2018-17173 LG Supersign Remote Code Execution - HTTP (Request)\r\n4689 - Comtrend - Remote Command Execution Exploit - HTTP (REQUEST)\r\nIndicators of compromise (IoCs)\r\nCommand and control (C\u0026C) servers\r\nmethcnc[.]duckdns[.]org\r\nmethscan[.]duckdns[.]org\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/"
	],
	"report_names": [
		"new-mirai-variant-expands-arsenal-exploits-cve-2020-10173"
	],
	"threat_actors": [],
	"ts_created_at": 1775434867,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64a771927e2cd0a7b5d886cbb3c2ae0cc4252131.pdf",
		"text": "https://archive.orkl.eu/64a771927e2cd0a7b5d886cbb3c2ae0cc4252131.txt",
		"img": "https://archive.orkl.eu/64a771927e2cd0a7b5d886cbb3c2ae0cc4252131.jpg"
	}
}