FortiGuard Labs, the research arm of security firm Fortinet, has uncovered a significant evolution in the IZ1H9 Mirai-based DDoS campaign.
Discovered in September and described in an advisory published on Monday, the new campaign has reportedly rapidly updated its arsenal of exploits, incorporating 13 distinct payloads, targeting various vulnerabilities across different Internet of Things (IoT) devices.
Peak exploitation was recorded on September 6, with trigger counts reaching the tens of thousands. This highlights the campaign’s ability to infect vulnerable devices and expand its botnet swiftly through newly released exploit codes, encompassing multiple CVEs.
The exploit payloads focus on vulnerabilities in D-Link, Netis, Sunhillo SureLine, Geutebruck, Yealink Device Management, Zyxel, TP-Link Archer, Korenix JetWave and TOTOLINK devices. Each payload is tailored to exploit specific vulnerabilities, ranging from command injection to remote code execution (RCE).
The injected payload initiates a shell script downloader, “l.sh,” from a specific URL. It proceeds to delete logs, download and execute various bot clients for Linux architectures and obstruct network connections on multiple ports.
IZ1H9, a Mirai variant, infects Linux-based IoT devices, rendering them remote-controlled bots for large-scale network attacks. Its configuration is decoded with an XOR key, revealing additional payload downloader URLs, along with pre-set login credentials for brute-force attacks.
Command-and-control (C2) communication between compromised devices and the command server is detailed, demonstrating the campaign’s sophistication in launching DDoS attacks with specific parameters.
Fortinet researcher Cara Lin said the research underscored the persistent threat posed by RCE attacks on IoT devices.
“Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands,” she wrote.
“What amplifies the impact of the IZ1H9 Campaign are the rapid updates to the vulnerabilities it exploits. Once an attacker gains control of a vulnerable device, they can incorporate these newly compromised devices into their botnet, enabling them to launch further attacks like DDoS attacks and brute-force,” Lin added.
To mitigate this threat, organizations are urged to apply patches promptly and alter default login credentials for their devices.