A new variant of the Mirai malware has been observed over the past week targeting new sets of default credentials specific to ZyXEL devices, Qihoo 360 Netlab researchers warn.
Mirai became widely known about a year ago, when it started ensnaring insecure Internet of Things (IoT) devices into a botnet capable of launching massive distributed denial-of-service (DDoS) attacks. With its source code made public in early October 2016, Mirai had already infected devices in 164 countries by the end of that month.
To spread, Mirai scans the Internet for open ports associated with Telnet access on Internet-facing IoT products and attempts to connect to the discovered devices using a set of default username/password combinations.
In August this year, Akamai explained that Mirai is formed of smaller hives of related bots and command and control (C&C) servers, and parts of it can be used for different purposes. Thus, the botnet can be involved in multiple, simultaneous attacks, each orchestrated from a different C&C, likely by a different operator, and can also be rented to wannabe criminals.
“At least one botnet operator was offering access to the systems under its control for rent,” Akamai revealed.
Starting with last week, Netlab observed an increase in port 2323 and 23 scan traffic and “confidently” associated it with a new Mirai variant. The researchers also discovered that this new malware version is specifically searching for insecure ZyXEL devices.
According to the security researchers, the scanner was attempting to exploit two new default login credentials, namely admin/CentryL1nk and admin/QwestM0dem. The former, they explain, was first spotted less than a month ago in exploit-db, as part of an exploit targeting the ZyXEL PK5001Z modem.
What Netlab noticed was that the abuse of the two login credentials started on November 22 and reached its peak the next day, the same as the uptick on port 2323 and 23 scan traffic. Thus, they concluded that the two were related.
The security researchers also reveal that most of the scanner IPs appear to be located in Argentina, with nearly 100,000 unique scanners from that country observed over a period of nearly three days. This led them to conclude that the attack might have been focused on specific types of IoT devices widely deployed in Argentina.
Last year, the Mirai worm was involved in a similar attack where nearly 1 million of Deutsche Telekom’s fixed-line network customers experienced Internet disruptions.
Related: DDoS Threat Increases While Mirai Becomes ‘Pay-for-Play’
