November 22, 2023 at 12:40PM
The ‘InfectedSlurs’ botnet is a new malware that exploits two zero-day vulnerabilities to infect routers and video recorder devices. It uses the hijacked devices to carry out distributed denial of service (DDoS) attacks for profit. The botnet was discovered by Akamai in late October 2023 and targets specific NVR and router manufacturers. The impacted vendors have not yet patched the vulnerabilities. Rebooting affected devices can temporarily disrupt the botnet.
Takeaways from the meeting notes:
1. A new Mirai-based malware botnet named ‘InfectedSlurs’ has been infecting routers and video recorder (NVR) devices using two zero-day remote code execution (RCE) vulnerabilities.
2. The botnet hijacks the infected devices to carry out distributed denial of service (DDoS) attacks, presumably for profit.
3. Akamai discovered ‘InfectedSlurs’ in late October 2023 on their honeypots, but the botnet’s activity dates back to late 2022.
4. The impacted vendors have yet to patch the exploited flaws, so specific details about the vulnerabilities have not been disclosed.
5. Akamai’s Security Intelligence Response Team (SIRT) identified the botnet by analyzing unusual activity on a rarely used TCP port targeting honeypots.
6. The botnet targets a specific NVR manufacturer and a popular wireless LAN router, exploiting separate zero-day RCE flaws in each.
7. The NVR manufacturer plans to release a security update in December 2023 to address the exploited flaw.
8. ‘InfectedSlurs’ is a variant of the JenX Mirai botnet and has offensive language in its command and control (C2) domains and hardcoded strings.
9. The botnet’s C2 infrastructure is relatively concentrated and appears to support hailBot operations.
10. Analysis of bot samples captured in October 2023 shows minimal code modifications compared to the original Mirai botnet, making ‘InfectedSlurs’ a self-propagating DDoS tool.
11. Like Mirai, ‘InfectedSlurs’ lacks a persistence mechanism. Rebooting the infected NVR and router devices can temporarily disrupt the botnet.