Rectifyq📃Title: Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai
📅Date: 2025-01-22
🔗References:
- https://blog.qualys.com/vulnerabilities-threat-research/2025/01/21/mass-campaign-of-murdoc-botnet-mirai-a-new-variant-of-corona-mirai
- https://en.fofa.info/result?qbase64=Ym9keT0ibXVyZG9jX2JvdG5ldCIgJiYgY291bnRyeT0iTVki
Description
The Qualys Threat Research Unit has uncovered a large-scale operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities in AVTECH Cameras and Huawei HG532 routers, demonstrating enhanced capabilities to compromise devices and establish expansive botnet networks. The campaign, which began in July 2024, uses ELF file and Shell Script execution to deploy the botnet sample. Over 1300 IPs were found active, with 100+ distinct sets of servers distributing the malware. The botnet targets vulnerable devices using existing exploits like CVE-2024-7029 and CVE-2017-17215. Affected countries include Malaysia, Thailand, Mexico, and Indonesia. The malware uses shell scripts to fetch, execute, and remove payloads on compromised devices.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: malware-analysis
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Qualys
- target-information=“Malaysia”
- target-information=“Thailand”
- target-information=“Mexico”
- target-information=“Indonesia”
- botnet=“Mirai”
- mitre-attack-pattern=[‘T1003’, ‘T1133’, ‘T1082’, ‘T1071’, ‘T1190’, ‘T1059’, ‘T1210’, ‘T1566’, ‘T1078’, ‘T1571’, ‘T1027’, ‘T1573’, ‘T1498’, ‘T1046’, ‘T1105’]
MISP event uuid: 751a8f48-fcb7-4f39-9ca1-6e78b550b15c
Indicator of Compromise (IoCs)
type,value,comment
ip-dst, 113.98.105.213, ''
ip-dst, 121.163.127.5, ''
ip-dst, 204.76.203.3, ''
ip-dst, 87.121.112.77, ''
ip-dst, 124.223.106.247, ''
ip-dst, 182.234.183.31, ''
ip-dst, 185.216.70.121, ''
ip-dst, 185.97.255.159, ''
ip-dst, 45.141.157.124, ''
ip-dst, 45.202.35.86, ''
ip-dst, 59.127.196.190, ''
ip-dst, 77.61.147.141, ''
ip-dst, 78.134.4.112, ''
ip-dst, 85.209.43.178, ''
ip-dst, 89.190.156.211, ''
ip-dst, 91.92.243.49, ''
ip-dst, 103.124.107.17, ''
ip-dst, 103.138.46.11, ''
ip-dst, 103.30.43.120, ''
ip-dst, 106.0.51.178, ''
ip-dst, 114.33.8.73, ''
ip-dst, 117.54.226.50, ''
ip-dst, 122.117.142.237, ''
ip-dst, 124.33.173.242, ''
ip-dst, 142.179.80.122, ''
ip-dst, 154.216.17.126, ''
ip-dst, 154.216.17.169, ''
ip-dst, 154.216.18.196, ''
ip-dst, 154.216.19.108, ''
ip-dst, 154.216.19.225, ''
ip-dst, 156.96.155.238, ''
ip-dst, 175.106.11.242, ''
ip-dst, 181.197.159.183, ''
ip-dst, 182.155.250.21, ''
ip-dst, 185.132.125.229, ''
ip-dst, 190.123.46.21, ''
ip-dst, 194.55.186.222, ''
ip-dst, 202.162.33.243, ''
ip-dst, 203.131.215.35, ''
ip-dst, 204.93.164.31, ''
ip-dst, 204.93.201.142, ''
ip-dst, 211.143.198.163, ''
ip-dst, 211.143.198.208, ''
ip-dst, 223.153.192.84, ''
ip-dst, 31.162.170.37, ''
ip-dst, 36.95.130.197, ''
ip-dst, 38.6.224.24, ''
ip-dst, 38.6.224.248, ''
ip-dst, 45.125.66.129, ''
ip-dst, 45.141.157.105, ''
ip-dst, 45.148.121.58, ''
ip-dst, 45.152.112.110, ''
ip-dst, 45.201.209.37, ''
ip-dst, 45.202.35.35, ''
ip-dst, 45.87.41.8, ''
ip-dst, 46.32.47.226, ''
ip-dst, 47.90.43.134, ''
ip-dst, 58.152.186.135, ''
ip-dst, 62.72.185.39, ''
ip-dst, 78.97.33.45, ''
ip-dst, 85.209.43.252, ''
ip-dst, 92.109.2.218, ''
ip-dst, 92.119.159.25, ''
ip-dst, 92.38.135.46, ''
ip-dst, 92.66.72.172, ''
ip-dst, 144.202.68.196, ''
ip-dst, 103.114.160.250, ''
Full IOCs available in Rectifyq's MISP```