Mirai_ptea_Rimasuta, an old and unpopular Mirai version, has reappeared, exploiting a zero-day vulnerability in RUIJIE router devices.
What Transpired?
The Mirai ptea botnet was discovered in June, using an undisclosed vulnerability in KGUARD DVR. It didn’t seem like a significant concern at the time to researchers.
- The newly exposed Ruijie router vulnerability is a command injection weakness in the RUJIE NBR700 series routers.
- According to the research, a substantial number of online gadgets are vulnerable to this flaw.
- NBR1600GDX9, RGNBR700GDX5, and other device variants have been identified.
How does it work?
- During exploitation, a payload with a URL and various empty variables is employed, most likely to mislead security teams. When these variables are removed, it becomes a malicious function capable of downloading and running the malware sample.
- Mirai_ptea_Rimasuta’s actors have modified its encryption method and C2 communication protocol; it employs the TEA algorithm and encrypts other sensitive resource information such as Tor Proxy.
- It communicates in three steps: first, it connects to the proxy node, then Tor C2, and finally, it communicates with C2 through ptea’s unique protocol to accept orders.
Analyzing further –
Researchers have divided the analysis into multiple stages/components in their detailed information to make it easier to understand.
- TEA key: The Mirai_ptea_rimasuta sample includes two Tiny Encryption Algorithm (TEA) keys, one for encrypting and decrypting sensitive resources and the other for encrypting and decrypting network data.
- Sandbox detection: The version checks for the presence of a large number of sandboxes or simulators and only infects when its path and filename requirements are met.
- C2 variant: Mirai_ptea_rimasuta contains some particular code to connect to the Tor C2, revealing that this malware employs approximately six C2s.
- Network protocol modification: It encrypts network traffic and uses a hard-coded set of keys known as Net_teakey. The key is generated dynamically by negotiating with C2s.
- It monitors the infected device’s TCP network connections to gather information. The connection information that matches specific requirements is then uploaded to the Reporter (through data mining).
Mirai_ptea_rimasuta’s new zero-day attack capabilities suggest that the malware’s operators may have grander intentions for the future. Furthermore, users of Ruijie routers should verify and update the system firmware on a regular basis, as well as use a strong password for the administration interface.
To read more, please check eScan Blog
