Mirai malware that turns networked devices into remotely controlled bots has relaunched itself as Mukashi malware and has been actively exploiting Zyxel network-attached storage (NAS) devices’ vulnerability reported under CVE-2020-9054. This remote code execution vulnerability, with a CVE rating of 9.8, was marked “Critical” and made public last month. As per the findings, Zyxel NAS devices with firmware versions 5.21 or less are vulnerable to Mukashi Malware.
How Mukashi Malware Works
This vulnerability was discovered as a zero-day exploit and was soon put up for sale by its handlers. Zyxel NAS devices authenticate username parameter using the weblogin.cgi CGI executable. However, if this parameter contains specific characters, then it may allow command injection due to the privileges Zyxel device web servers possess. A setuid utility that exists in Zyxel devices can be leveraged to compromise by sending a specially crafted HTTP POST or GET request. This vulnerability exploit can eventually lead to remote code execution with root privileges of the Zyxel NAS device.
Mukashi first monitors the TCP port 23 of random hosts and attempts brute force device login using default credentials. On successful login, the Mukashi malware displays a message, “Protecting your device from further infections” and attaches itself to the TCP port 23448 so that only a single instance of the intended program is running on the compromised system.
Researchers at Palo Alto networks found that Mukashi malware is also capable of launching DDoS attacks on the compromised system when it receives the respective command from its C2 server. They said, “Mirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed in-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass confirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant — Mukashi also possesses the anti-DDoS-defense capabilities.”
Threat Summary |
|
| Name | Mukashi |
| Threat type | Malware, botnet, further capable of launching DDoS attacks |
| Default Passwords used for credential brute-force attack | t0talc0ntr0l4! and taZz@23495859 |
| C2 server | 45[.]84[.]196[.]75:4864 |
| C2 commands supported by Mukashi | PING, scanner, .udpplain, .tcp, .killallbots, killer, .udp, .udpbypass, .tcpbypass, .udprand, .udphex, .http |
| Affected Products | NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 |
| Firmware updates available for | NAS326, NAS520, NAS540, and NAS542 |
| Affected models with end-of-support | NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 |
| Recommended measures |
|
Indicators of Compromise (IOCs)
File (Sha256)
8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)
5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)
8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)
90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)
675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)
46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)
753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)
ce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)
a059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)
 devices.){kind=link}