Backdoor.Linux.MIRAI.VWIQT

IoT malware uses two different encryption routines for its strings and modified the magic number of UPX.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Performs various DDOS attacks
• Kill its process
• Kill all performed various attacks.
• Kill specific process

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.143.98:259

Other Details

This Backdoor does the following:

• It uses the following credentials to try to login to busybox telnet and used security/ misconfiguration/ default password:
  • telecomadmin
  • nE7jA%5m
  • 1234
  • support
  • user
  • ho4uku6at
  • admin01
  • admin1234
  • 7ujMko0admin
  • telecom
  • password
  • nCwMnJVGag
  • changeme
  • 20080826
  • klv123
  • tsgoingon
  • 12345
  • vizxv
  • xc3511
  • 123456
  • default
  • zlxx.
  • guest
  • OxhlwSG8
  • S2fGqNFs
  • tlJwpbo6
  • solokey
  • admintelecom
  • 1111
  • bin
  • 0000
  • pass
  • meinsm
  • 54321
  • smcadmin
  • 4321
  • ZmqVfoSIP
  • klv1234Tikwb
  • dreambox
  • 7ujMko0vizxv
  • hi3518
  • welc0me
  • root123
  • jvbzd
  • realtek
  • xmhdipc
  • 1001chin
  • GM8182
  • hunt5759
  • telnet
  • admin
  • huigu309
  • root
  • ALC#FGU
  • videoflow
  • Admin
  • CRAFTSPERSON
• It may spread to other devices by taking advantage of the following vulnerabilities:
  • CVE-2017-17215