Backdoor.Linux.MIRAI.AS

This backdoor may spread to other devices by abusing a Remote Code Execution exploit in Huawei routers.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Download a file
• Performs various DDOS attacks
• Execute shell commands
• Uses default or easy-to-guess usernames and passwords to login to other devices

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• cnc.ar{BLOCKED}yz:4532
• scan.ar{BLOCKED}z:4532

Other Details

This Backdoor does the following:

• It may spread to other devices by taking advantage of CVE-2017-17215 which is another remote code execution for specific Huawei routers
• It uses the following credentials to try to login to other devices:
  
  • 123456
  • 888888
  • 20150602
  • 1q2w3e4r5
  • 2011vsta
  • 3ep5w2u
  • admintelecom
  • bcpb+serial#
  • default
  • e8ehome
  • e8telnet
  • fliruser
  • guest
  • huigu309
  • juniper123
  • klv1234
  • linux
  • maintainer
  • Maxitaxi01
  • super
  • support
  • taZz@01
  • taZz@23495859
  • telecomadmin
  • telnetadmin
  • tsgoingon
  • vstarcam2015
  • Zte521
  • ZXDSL
• It displays the strings below once executed in the command line:
  
  • CIA NIGGER
• It is capable of terminating processes which satisfies any of the following conditions:
  
  • uses any of the following ports:
  • 23
  • 8080
  • 81
  • 53413
  • memory of the process contains strings related to botnets