A variant of the Mirai botnet has been found to be exploiting a recently discovered security flaw affecting Four-Faith industrial routers since early November 2024 to launch distributed DDoS attacks.
The botnet maintains around 15,000 daily active IP addresses, with the infection mostly spread across China, Iran, Russia, Turkey and the US.
Using an arsenal of more than 20 known security vulnerabilities and weak Telnet credentials for initial access, the malware is known to have been active since February 2024. The botnet was named “gameboy” due to the offensive term present in the source code.
QiAnXinXLab said he observed that the malware exploits a zero-day vulnerability in industrial routers manufactured by the Chinese company Four-Faith to deliver artifacts as early as November 9, 2024.
The vulnerability in question is CVE-2024-12856 (CVSS Score: 7.2), which refers to an operating system (OS) command implementation bug that affects router models F3x24 and F3x36 using immutable default credentials.
At the end of last month VulnCheck told Hacking news that the vulnerability has been used in the wild to drop reverse shells and a Mirai-like payload onto compromised devices.
Some of the other vulnerabilities used by the botnet to expand its reach and scale include CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017 – 5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957.
Once launched, the malware attempts to hide its malicious processes and implements a Mirai-based command format to find vulnerable devices, self-update, and launch DDoS attacks against targets of interest.
DDoS attacks using the botnet target hundreds of different entities daily, with activity reaching a new peak in October and November 2024. Attacks lasting from 10 to 30 seconds generate traffic of about 100 Gbps.
The disclosure comes weeks after Juniper Networks warned that Session Smart Router (SSR) products with default passwords are being targeted by attackers for Mirai botnet malware removal. Akamai also discovered the Mirai malware infection, which is a weapon of the remote code execution flaw in DigiEver DVRs.
“DDoS has become one of the most widespread and destructive forms of cyberattacks,” XLab researchers said. “Its attack modes are diverse, attack paths are highly stealthy, and it can use ever-evolving strategies and techniques to deliver precision strikes across multiple industries and systems, posing a significant threat to businesses, government organizations, and individual users.”
Development is also taking place as the subjects of the threat the use of leverage susceptible and misconfigured PHP servers (eg CVE-2024-4577) to deploy a cryptocurrency miner called PacketCrypt.
