Security Experts:

Connect with us

Hi, what are you looking for?



Mirai-Based Masuta Botnet Weaponizes Old Router Vulnerability

A new Internet of Things-targeting piece of malware based on Mirai’s publicly released source code has been observed at large, ensnaring devices into a botnet.

A new Internet of Things-targeting piece of malware based on Mirai’s publicly released source code has been observed at large, ensnaring devices into a botnet.

Dubbed Masuta, the botnet has at least two variants at large, and is believed to be the work of a well-known IoT threat actor, NewSky Security says. What’s also unique to the botnet is that it exploits an old router vulnerability, being the first threat known to weaponize it in a botnet campaign.

Masuta (Japanese for “master”) botnet’s source code was found on an invite only dark forum. The malware’s configuration file, the researchers discovered, uses a different seed of the cipher key compared to Mirai, having the strings in the configuration files XORed by 0x45.

Thus, the researchers discovered that it uses the domain nexusiotsolutions(dot)net, the command and control (C&C) server that Nexus Zeta, the individual involved in the recent Satori attacks, uses. The domain was registered using the [email protected](.)com email address.

Thus, NewSky Security suggests that Nexus Zeta has been involved in the creation of the Masuta botnet, in addition to building Satori, the Mirai variant that has been wreaking havoc over the past couple of months.

In fact, Masuta isn’t new either, and attacks involving it have been steadily increasing since September, and the botnet’s standard variant has been observed using several known/weak/default credentials to compromise IoT devices.

An evolved variant of Masuta, called PureMasuta, contains the most typical of Mirai style code, and a list of weak credentials to use. What makes this malware variant stand out, however, is its usage of EDB 38722 D-Link exploit.

The exploit PureMasuta uses resides in the HNAP (Home Network Administration Protocol), which is based on the SOAP protocol. It is possible to craft a SOAP query to bypass authentication by using hxxp://, and improper string handling can lead to arbitrary code execution, and an attacker can abuse this combination of issues to run code on targeted devices.

What the botnet does is to download a shell script from the C&C server and run it. Thus, the malware author first bypasses authentication and then executes code on the targeted devices.

The PureMasuta variant uses the same C&C server ( as the original Masuta variant, which led the researchers to believe it is the evolved creation of the same threat actor.

“Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project,” NewSky Security notes.

Thus, the TR-069 bug and EDB 38722 are the third and fourth SOAP related exploits abused by IoT botnets.

“Protocol exploits are more desirable for threat actors as they usually have a wider scope. A protocol can be implemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of devices,” the researchers conclude.

Related: Mirai Variant Targets ARC CPU-Based Devices

Related: Botnet’s Huawei Router Exploit Code Now Public

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.