Cybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc_Botnet.
The ongoing activity “demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks,” Qualys security researcher Shilpesh Trivedi said in an analysis.
The campaign is known to be active since at least July 2024, with over 1,370 systems infected to date. A majority of the infections have been located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.
Evidence shows that the botnet leverages known security flaws such as CVE-2017-17215 and CVE-2024-7029 to gain initial access to the Internet of Things (IoT) devices and download the next stage payload by means of a shell script.
The script, for its part, fetches the botnet malware and executes it depending on the CPU architecture. The end goal of these attacks is to weaponize the botnet for carrying out distributed denial-of-service (DDoS) attacks.
The development comes weeks after a Mirai botnet variant named gayfemboy was found exploiting a recently disclosed security flaw impacting Four-Faith industrial routers since early November 2024. Back in mid-2024, Akamai also revealed that CVE-2024-7029 was abused by malicious actors to enlist AVTECH devices into a botnet.
Last week, details emerged about another large-scale DDoS attack campaign targeting major Japanese corporations and banks since the end of 2024 by making use of an IoT botnet formed by exploiting vulnerabilities and weak credentials. Some of the other targets are concentrated around the U.S., Bahrain, Poland, Spain, Israel, and Russia.
The DDoS activity has been found to single out telecommunications, technology, hosting, cloud computing, banking, gaming, and financial services sectors. Over 55% of the compromised devices are located in India, followed by South Africa, Brazil, Bangladesh, and Kenya.
“The botnet comprises malware variants derived from Mirai and BASHLITE,” Trend Micro said. “The botnet’s commands include those that can incorporate various DDoS attack methods, update malware, and enable proxy services.”
The attacks involve infiltrating IoT devices to deploy a loader malware that fetches the actual payload, which then connects to a command-and-control (C2) server and awaits further instructions for DDoS attacks and other purposes.
To safeguard against such attacks, it’s advised to monitor suspicious processes, events, and network traffic spawned by the execution of any untrusted binary/scripts. It’s also recommended to apply firmware updates and change the default username and password.
