Backdoor.Linux.MIRAI.VWIQG

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It connects to certain websites to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Performs various DDOS attacks

Other Details

This Backdoor connects to the following website to send and receive information:

• {BLOCKED}otsolutions.pw
• {BLOCKED}a.pw
• {BLOCKED}.{BLOCKED}.195.251:777

It does the following:

• It uses the following credentials to try to login to other devices:
  • root
  • Admin
  • 1234
  • xc3511
  • vizxv
  • 5up
  • default
  • 12345
  • Zte521
  • hi3518
  • guest
  • support
  • telnetadmin
  • huigu309
  • blueangel
  • abnareum10
  • Admin@tbroad
  • superuser
  • 9999
  • camera
  • ikwd
  • 123456
  • wbox123
  • pfsense
  • aerohive
  • hadoop
  • hadoop@123
  • hadoopuser
  • awind5885
  • connect
  • firetide
  • mysweex
  • hame
  • hsparouter
  • aaaaaa
  • netscreen
  • comcast
  • 211cmw91765
  • cable
  • arrowpoint
  • airlive
  • public
  • sky
  • urchin
  • advcomm500349
  • AdvWebadmin
  • readwrite
  • readonly
  • status
  • skyboxview
  • rainbow
  • bagabu
  • allot
  • gonzo
  • extendnet
  • publish
  • tooridu
  • trendimsa1.0
• It may spread to other devices by taking advantage of the following vulnerabilities:
  • Realtek SDK - Miniigd UPnP SOAP Command Execution (Metasploit)
  • Asus RT56U 3.0.0.4.360 - Remote Command Injection
  • Zeroshell 3.6.0/3.7.0 Net Services - Remote Code Execution
  • Seowonintech Devices - Remote Command Execution
  • Yealink VoIP Phone SIP-T38G - Remote Command Execution
  • D-Link - OS-Command Injection via UPnP Interface
  • Linksys WAG54G2 - Web Management Console Arbitrary Command Execution
  • Ubiquity Nanostation5 (Air OS) - Remote Command Execution
  • Linksys WAG54G2 - Web Management Console Arbitrary Command Execution
  • Wireless IP Camera (P2P) WIFICAM - Remote Code Execution
  • Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)
  • VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
  • ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
  • OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution
  • WePresent WiPG-1000 - Command Injection (Metasploit)
  • LG SuperSign EZ CMS 2.5 - Remote Code Execution
  • Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution
  • NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution
  • Hootoo HT-05 - Remote Code Execution (Metasploit)
  • ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution
  • Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution
  • Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection
  • MiCasaVerde VeraLite - Remote Code Execution
  • Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection
  • Belkin Wemo UPnP - Remote Code Execution (Metasploit)