Connect with us

Hi, what are you looking for?


IoT Security

Mirai Offspring “Echobot” Uses 26 Different Exploits

A recently discovered variant of the Mirai Internet of Things (IoT) malware uses a total of 26 different exploits for the infection phase, Akamai reports. 

A recently discovered variant of the Mirai Internet of Things (IoT) malware uses a total of 26 different exploits for the infection phase, Akamai reports. 

Targeting improperly secured IoT devices, Mirai was first spotted in 2016 and had its source code published online in October that year. Numerous variants of the threat have emerged since, with the most recent of them targeting more processor architectures and aiming to infect devices in enterprise environments

Dubbed Echobot, the latest variant of the botnet was observed earlier this month, when it included 18 exploits, 8 of which were new to the Mirai code. The threat was also targeting a recently patched Oracle WebLogic remote code execution vulnerability (CVE-2019-2725).

Now, Akamai’s Larry Cashdollar says that a newer version of Echobot uses 26 different exploits for infection, most of which target well-known command execution vulnerabilities in various networked devices. No CVE numbers were assigned for some of the flaws, although public advisories for them had been published. 

The exploits targeted devices from ADM, Ubiquity (AirOS), ASMAX, ASUS, Belkin, Blackbot, DD-WRT, Dell, D-Link, Dreambox, Geutebruck, Hootoo, Linksys, Netgear, Nuuo, Oracle, Realtek, Seowonintech, SuperSign, Umotion, VeraLite, VMware, wePresent, WIFICAM, Yealink, and ZeroShell. 

Analysis of the malicious code revealed the inclusion of cross-application vulnerabilities, as botnet creators are no longer relying solely on devices with embedded OSes, such as routers, cameras, and DVRs. 

Enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) vulnerabilities are also targeted to infect targets and propagate the malware. At the same time, the botnet developers are targeting unpatched legacy vulnerabilities, given the inclusion of an exploit for a 10-year old flaw in ZeroShell. 

Advertisement. Scroll to continue reading.

The malware’s loader system is a virtual server hosted in Bulgaria on Neterra’s cloud network. The binaries, which are hosted via FTP and HTTP, were recently updated and feature file timestamps of June 7. 

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten,” Cashdollar points out. 

Related: New Mirai Variant Targets More Processor Architectures

Related: New Mirai Variant Targets Enterprise IoT Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...