{
	"id": "9383549e-a1ba-4986-96c8-8ce144bb1530",
	"created_at": "2026-04-06T00:12:28.859647Z",
	"updated_at": "2026-04-10T03:24:18.149066Z",
	"deleted_at": null,
	"sha1_hash": "b10f261116d5ac653ff9aa65cc1a54e59bdf5044",
	"title": "Mirai Botnet Attack IoT Devices via CVE-2020-5902",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73961,
	"plain_text": "Mirai Botnet Attack IoT Devices via CVE-2020-5902\r\nBy By: Augusto Remillano II, Jemimah Molina Jul 28, 2020 Read time: 5 min (1322 words)\r\nPublished: 2020-07-28 · Archived: 2026-04-05 13:40:08 UTC\r\nBased on the workaround published for CVE-2020-5902, we found a Mirai botnet downloader that can be added\r\nto new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.\r\nUpdate as of 10:00 A.M. PST, July 30, 2020: Our continued analysis of the malware sample showed adjustments\r\nto the details involving the URI and Shodan scan parameters. We made the necessary changes in this post. We\r\nwould like to thank F5 Networks for reaching out to us to clarify these details.\r\nFollowing the initial disclosureopen on a new tab of two F5 BIG-IP vulnerabilities on the first week of July, we\r\ncontinued monitoring and analyzing the vulnerabilities and other related activities to further understand their\r\nseverities. Based on the workaround published for CVE-2020-5902open on a new tab, we found an internet of\r\nthings (IoT) Mirainews article botnet downloader (detected by Trend Micro as Trojan.SH.MIRAI.BOI) that can be\r\nadded to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.\r\nThe samples we found also try to exploit recently disclosed and potentially unpatched vulnerabilities in commonly\r\nused devices and software. System administrators and individuals using the related devices are advised to patch\r\ntheir respective tools immediately.\r\nRoutine\r\nAs previously reportednews article, the security bug involves a remote code execution (RCE) vulnerability in the\r\nmanagement interface of BIG-IP known as the Traffic Management User Interface (TMUI). After analyzing the\r\npublished informationopen on a new tab, we noticed from the mitigation rule in Apache httpd that a possible way\r\nto exploit this vulnerability involves a HTTP GET request containing semicolon character in the URI. In a Linux\r\ncommand line, a semi-colon signals to the interpreter that a command line has finished, and it is a character the\r\nvulnerability needs to be triggered. To further our analysis, we tested if an IoT botnet author can add a scanning\r\ncapability to existing and/or new malware variants via this Yara rule:\r\nYara rule to check for malware\r\nFigure 1. Yara rule to check for malware\r\nWhile the rule used for testing seems simple, it allowed us a broad range of malware, Python, or Ruby proofs of\r\nconcept (PoC) to check against. From the disclosure date of July 1, we found the first sample of an ELF file\r\ncompiled to an MIPS architecture on July 11 that identified two addresses: hxxp[:]//79[.]124[.]8[.]24/bins/\r\n(identified as the disease vector) and hxxp[:]//78[.]142[.]18[.]20 (identified as the command and control (C\u0026C)\r\nserver). A common pattern with IoT malware like Mirai is finding different files hosted in one domain with\r\ndifferent extensions meant to attack different architectures. Upon checking the host, we found the following files:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/\r\nPage 1 of 5\n\nTable 1. Files hosted in the C\u0026C\r\nHash File\r\nacb930a41abdc4b055e2e3806aad85068be8d85e0e0610be35e784bfd7cf5b0e fetch.sh\r\n037859323285e0bbbc054f43b642c48f2826924149cb1c494cbbf1fc8707f942 sora.arm5\r\n55c4675a84c1ee40e67209dfde25a5d1c1979454ec2120047026d94f64d57744 sora.arm6\r\n03254e6240c35f7d787ca5175ffc36818185e62bdfc4d88d5b342451a747156d sora.arm7\r\n204cbad52dde24ab3df41c58021d8039910bf7ea07645e70780c2dbd66f7e90b sora.m68k\r\n3f8e65988b8e2909f0ea5605f655348efb87565566808c29d136001239b7dfa9 sora.mips\r\n15b2ee07246684f93b996b41578ff32332f4f2a60ef3626df9dc740405e45751 sora.mpsl\r\n0ca27c002e3f905dddf9083c9b2f8b3c0ba8fb0976c6a06180f623c6acc6d8ca sora.ppc\r\necc1e3f8332de94d830ed97cd07867b90a405bc9cc1b8deccec51badb4a2707c sora.sh4\r\ne71aca778ea1753973b23e6aa29d1445f93dc15e531c706b6165502d6cf0bfa4 sora.x86\r\nLooking into the IP addresses further, we learned that since June, it had already been used to deploy IoT malware,\r\nincluding other Mirai variants.\r\nThe SORAnews- cybercrime-and-digital-threats file names have been previously identified as a Mirai variant that\r\ncan be used for brute-force attacks and the abuse of other vulnerabilities for RCE and unauthorized control and\r\nmanagement of devices. Meanwhile, fetch.sh is a shell script with the following content:\r\nfetch.sh shellscript\r\nFigure 2. fetch.sh shellscript\r\nfetch.sh connects to http[:]//79[.]124[.]8[.]24/bins/sora.{architecture} to download and execute the applicable\r\nmalicious binary named “sysctl”. Simultaneously, fetch.sh also creates cron jobs to enable automatic execution of\r\nthe downloaded binary.\r\nCreating cron jobs\r\nFigure 3. Creating cron jobs\r\nThe script uses the iptables tool to drop any packets to popularly used transmission control protocol (TCP) ports\r\nsuch as default ports for Telnet, Secure Shell (SSH), and the device web panel (HTTP). This may have two\r\ndifferent implications:\r\nNo other malware will have direct access to exposed services in the infected device\r\nThe device owner will not be able to access the management interface\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/\r\nPage 2 of 5\n\nThis is also reminiscent of implications cited in our recent research papernews article for the control of IoT\r\ndevices currently connected.\r\nBy analyzing the x86 sample of this botnet, we realized its attempts at exploiting vulnerable BIG-IP boxes as it\r\nsends a GET request to the victim port 443/TCP (HTTPS):\r\nGET request for exploit of CVE-2020-5902\r\nFigure 4. GET request for exploit of CVE-2020-5902\r\nGiven the severity of the flaw, a simple GET request with a “command” parameter to tmshCmd.jsp would be\r\nenough to remotely execute a command in an infected device if the ID path is correctly prepended to it.\r\nOther exploits abused\r\nWe also found, upon checking the variant further, that it tries to exploit recently disclosed and discovered\r\nvulnerabilities in randomly generated targets. Here is the full list of exploits used by this variant:\r\nTable 2. Other exploits used by other samples\r\nDevice Vulnerability\r\nCVE\r\nIdentification\r\nApache Kylin 3.0.1\r\nCommand Injection\r\nVulnerability\r\nCVE-2020-1956\r\nAruba ClearPass Policy Manager 6.7.0\r\nUnauthenticated Remote\r\nCommand Execution\r\nCVE-2020-7115\r\nBig-IP 15.0.0 \u003c 15.1.0.3 / 14.1.0 \u003c 14.1.2.5 / 13.1.0 \u003c\r\n13.1.3.3 / 12.1.0 \u003c 12.1.5.1 / 11.6.1 \u003c 11.6.5.1\r\nTMUI Remote Code\r\nExecution\r\nCVE-2020-5902\r\nComtrend VR-3033 Command Injection\r\nCVE-2020-\r\n10173\r\nHP LinuxKI 6.01 Remote Command Injection CVE-2020-7209\r\nTenda AC15 AC1900 Remote Code Execution\r\nCVE-2020-\r\n10987\r\nNexus Repository Manager 3 Remote Code Execution\r\nCVE-2020–\r\n10204\r\nNetlink GPON Router 1.0.11 Remote Code Execution N/A\r\nNetgear R7000 Router Remote Code Execution N/A\r\nSickbeard 0.1 Remote Command Injection N/A\r\nConclusion and security recommendations\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/\r\nPage 3 of 5\n\nF5 Networks caters to a number of enterprises for networking devices, with BIG-IP as one of the most popular\r\nproducts in use by governments and companies, especially given the abrupt work-from-home arrangements today.\r\nIt affects a wide range of products and versions, including the most recently released ones close to the\r\nvulnerability’s disclosure date. With CVE-2020-5902 receiving a rating of 10 in the Common Vulnerability\r\nScoring System (CVSS) v3.0 vulnerability scale, the vulnerability also indicates that the security gap itself is easy\r\nto abuse online and automate. Moreover, it does not require credentials or advanced coding skills to exploit.\r\nThat said, F5 has already published an informative and detailed mitigation procedureopen on a new tab in order to\r\ndeny requests containing a semi-colon. To add, while the default settings do not expose the management interface\r\nto the public, our Shodan scan showed approximately 7,000 exposed hosts online (considering the ones listening\r\non ports 443 and 8443 only). By “exposed” we mean “accessible from the Internet”, but not with certainty that the\r\nsaid hosts are vulnerable.\r\nRecognizing the severity of the security flaw, the Department of Defense’s Cyber Command issued a tweetopen\r\non a new tab three days after the disclosure, advising immediate remediation of the vulnerability. Given the\r\nvulnerability’s disclosure date and the number of days it took for an exploit to be at large (10 days), it appears as if\r\nthe malicious actors are paying close attention to the most recent disclosures and reports to come up with their\r\nown exploits. While some of these vulnerabilities were only discussed in blog posts and not announced as publicly\r\navailable exploit codes, these cybercriminals are aware of two things: first, manufacturers have yet to come up\r\nwith the corresponding patches, and second, system administrators have yet to download and implement the\r\nreleased fixes in the equivalent duration.\r\nSystem administrators and security teams can protect IoT devices from these types of threats with some of these\r\nbest practices:\r\nEnsure that IoT devices’ firmware run on the latest versions by constantly monitoring manufacturers’\r\nreleases.\r\nUse a virtual private network (VPN) to prevent exposing any management interfaces directly to the\r\ninternet.\r\nEmploy network segmentation to limit the spread of infections and customize the security settings of\r\ndevices.\r\nEnsure that there is a network traffic monitoring and detection system with a good Web Application\r\nFirewall (WAF) in place. This is to track baseline and abnormal ranges of usage to protect management\r\ninterfaces that are accessible online.\r\nInstall a multilayered protection system that can detect, block, and prevent threats such as brute-force\r\nattacks that abuse security flaws like these for entry.\r\nConnected devices can also be protected by security software such as the Trend Micro™ Home Network\r\nSecurityopen on a new tab and Trend Micro™ Home Network Security SDKproducts solutions, which can check\r\ninternet traffic between the router and all connected devices as well as help users asses for vulnerabilities.\r\nIndicators of Compromise (IOCs)\r\nPlease see the complete list of IoCs here.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/\r\nPage 4 of 5\n\nTags\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/"
	],
	"report_names": [
		"mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b10f261116d5ac653ff9aa65cc1a54e59bdf5044.pdf",
		"text": "https://archive.orkl.eu/b10f261116d5ac653ff9aa65cc1a54e59bdf5044.txt",
		"img": "https://archive.orkl.eu/b10f261116d5ac653ff9aa65cc1a54e59bdf5044.jpg"
	}
}