IoT.Linux.MIRAI.DLEU

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Performs various DDOS attacks

It connects to the following websites to send and receive information:

• {BLOCKED}.{BLOCKED}.125.169:45

Other Details

This Backdoor does the following:

• It uses the following credentials to try to login to other devices:
  • xc3511
  • root
  • xc3518
  • xc3515
  • 20150602
  • vstarcam2015
  • zte9x15
  • vertex25ektks123
  • te521
  • default
  • OxhlwS
  • antslq
  • guest
  • aquario
  • support
  • password
  • user
  • admin1234
  • 1111
  • 12345
  • ipcam_rt5350
  • ho4uku6at
  • kont2004
  • in1do
  • hunt5759
  • Oadmin123
  • 3ep5w2u
  • xmhdipc
  • klv123
  • 123456
  • jvbzd
  • ivdev
  • hi3518
  • cat1029
  • annie2012
  • annie2013
  • annie2014
  • annie2015
  • annie2016
  • 8182
  • vizxv
  • admin
  • linux
  • zlxx
  • calvin
  • fidel123
  • wpbo6
  • epicrouter
  • motorola
  • merlin
  • mg3500
• It displays the following string once executed in the command line:
  • Connected To CNC
• It may spread to other devices by taking advantage of the following vulnerabilities:
  • Huawei Router HG532 - Arbitrary Command Execution (CVE-2017-17215)
  • GPON Routers - Authentication Bypass / Command Injection (CVE-2018-10561)