Summary:
A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the intention of conducting DDoS attacks. This botnet variant has been tracked by XLab since February 2024 and unlike most Mirai botnet variants, has survived months and continues to exploit 0 and N-day vulnerabilities to expand its infection scale. In early November 2024, the variant evolved further by leveraging a 0-day vulnerability in Four-Faith industrial routers and unknown vulnerabilities in Neterbit routers and Vimar smart home devices to spread its payloads. XLab findings revealed that this Mirai variant operates with over 40 grouping categories and has more than 15,000 daily active nodes. When the botnet detected XLab’s registration of its domains, it automatically with a DDoS attack. It delivers its samples utilizing more than 20 vulnerabilities and Telnet weak credentials. These vulnerabilities are listed in the HackerNews article. The primary infections are distributed across regions including China, the United States, Iran, Russia, and Turkey. The main attack targets are concentrated in regions such as China, the United States, Germany, the United Kingdom, and Singapore. When the malware is executed, it attempts to hide malicious processes and implements a Mirai-based command format to scan for vulnerable devices, update itself, and launch DDoS attacks against targets of interest.

Security Officer Comments:
This review of the Mirai botnet variant highlights its transformation from a potentially short-lived Mirai variant to its current unique large-scale botnet armed with an arsenal of 0-day exploitation capabilities. The botnet has launched intermittent attacks from February 2024 to the present, with the highest frequency of attacks reaching 200 a day and occurring during October and November of the previous year. To increase analysis difficulty and protect the program, botnet developers often encrypt strings. However, the developer behind this botnet seems to neglect string protection, as all strings are in plaintext. DDoS attacks are highly reusable and a very cost-effective method of cyberattack. The ability to conduct large-scale attacks using botnets and malicious tools has made DDoS one of the most utilized and destructive forms of cyberattack. Organizations and individuals should implement comprehensive defense strategies to mitigate the risks of DDoS attacks and enhance their overall security posture.

Suggested Corrections:
IOCs are available here.

DDoS attacks pose a significant challenge for defense because it's challenging to differentiate between legitimate and malicious packets. Typically, DDoS attacks exploit either bandwidth or application vulnerabilities.

There are several methods to counter DDoS attacks: