A sophisticated Mirai-based botnet is leveraging zero-day exploits and custom vulnerabilities to compromise industrial routers and smart home devices. First observed in February 2024, this botnet has rapidly evolved, exploiting both n-day and zero-day flaws, including a critical vulnerability, CVE-2024-12856, in Four-Faith industrial routers.
Emerging Exploitation Activity
Researchers from Chainxin X Lab reported that exploitation of CVE-2024-12856 began in late December 2024, shortly after its discovery by VulnCheck. This vulnerability, combined with custom exploits for flaws in Neterbit routers and Vimar smart home devices, has expanded the botnet’s infection capabilities.
Botnet Profile
The botnet, whose name contains offensive language, is built on a Mirai-based framework and maintains an average of 15,000 active daily bot nodes across the following countries:
- China
- United States
- Russia
- Turkey
- Iran
Key Features:
- Attack Objectives: Primarily used for DDoS attacks targeting hundreds of entities daily. Activity peaked in October and November 2024.
- Propagation Mechanism: Combines public and private exploits for over 20 vulnerabilities to infect diverse devices.
- Brute Force Module: Targets devices with weak Telnet passwords.
- Custom Malware Attributes: Implements Mirai-like commands, uses custom UPX packing, and scans for additional vulnerabilities across networks.
Targeted countries
Source: X Lab