Backdoor.Linux.MIRAI.AR

This backdoor may arrive in the affected system via ThinkPHP Remote Code Execution exploit.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Download a file
• Performs various DDOS attacks
• Execute shell commands
• Uses default or easy-to-guess usernames and passwords to login to other devices

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• lolis{BLOCKED}er.com:42352

Other Details

This Backdoor does the following:

• It uses the following credentials to try to login to other devices:
  
  • 1001chin
  • adm
  • admin123
  • admintelecom
  • aquario
  • default
  • e8ehome
  • e8telnet
  • GM8182
  • gpon
  • oh
  • root
  • support
  • taZz@23495859
  • telecomadmin
  • telnetadmin
  • tsgoingon
  • ttnet
  • vizxv
  • zte
• It displays the strings below once executed in the command line:
  
  • your device just got infected to a bootnoot
• It is capable of terminating processes which satisfies any of the following conditions:
  
  • uses any of the following ports:
  • 23
  • 8080
  • 81
  • 53413
  • memory of the process contains strings related to botnets