Mirai Variant V3G4 Detection: New Botnet Version Exploiting 13 Vulnerabilities to Target Linux Servers, IoT Devices

Mirai V3G4 Variant Detection

Threat actors are constantly enriching their offensive toolkits while experimenting with new sophisticated malware variants to expand the scope of attacks. Cyber defenders have observed a new Mirai botnet variant called V3G4 come into the spotlight in the cyber threat landscape. The novel malware variant has been leveraged in multiple adversary campaigns threatening targeted users for over half a year since July 2022. By exploiting certain vulnerabilities in a set of IoT devices, Mirai V3G4 Variant can lead to remote code execution (RCE) and denial-of-service (DDoS) attacks. 

Detecting V3G4 Mirai Variant

Given the increasing volumes and sophistication of the attacks leveraging novel V3G4 Mirai variant, security performers require a reliable source of the detection content to identify the associated malicious activity and proactively defend the organizational infrastructure. 

SOC Prime´s Detection as Code platform offers a dedicated Sigma rule by our keen Threat Bounty developer Wirapong Petshagun detecting Mitel AWC remote command execution exploitation patterns in webserver logs related to the latest V3G4 activity:

Mitel AWS Remote Command Execution Exploitation Used by Mirai Variant Called V3G4 (via webserver)

The detection is aligned with the MITRE ATT&CK framework v12, addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) applied as its primary technique. The Sigma rule can be automatically translated into 16 SIEM, EDR, and XDR solutions shaving seconds off cross-platform threat detection.

Eager to join the ranks of cyber defenders? Join our Threat Bounty Program to monetize your exclusive detection content while coding your future CV and honing detection engineering skills. Published to the world’s largest threat detection marketplace and explored by over 8,000 organizations globally, your Sigma rules can help detect emerging threats and make the world a safer place while granting recurring financial profits.

To explore the whole batch of Sigma rules detecting malicious activity associated with Mirai malware, press the Explore Detections button. The rules are accompanied by extensive metadata, including corresponding CTI links, ATT&CK references, and threat hunting ideas. 

Explore Detections

Mirai Variant V3G4 Description

The infamous Mirai malware has been a pain in the neck for cyber defenders, continuously upgraded and enriched with new offensive capabilities. In September, threat actors behind Mirai botnet released its tricky iteration known as MooBot, affecting D-Link devices and leveraging a wide range of exploitation techniques.

The novel Mirai botnet variant dubbed V3G4 has been noticed in the cyber threat arena since mid-summer 2022, targeting Linux-based servers and networking devices. According to the According to the research by Palo Alto Networks Unit 42,, the novel malware version samples observed in three adversary campaigns are highly likely to be attributed to one hacking collective based on the hardcoded C2 domains containing the identical string, the use of the same XOR decryption key and shell script downloaders, as well as other offensive capabilities with similar patterns. 

In the ongoing attacks, Mirai botnet is targeting 13 unpatched vulnerabilities in IoT devices, attempting to cause RCE and giving adversaries the green light to potential DDoS attacks. Exploits target RCE, command injection, and Object-Graph Navigation Language (OGNL) injection vulnerabilities in a wide range of IoT devices, including FreePBX Elastix, Gitorious, FRITZ!Box webcams, Webmin, Spree Commerce, Atlassian Confluence, and other popular products. 

Notably, unlike other Mirai versions, the novel V3G4 variant applies a unique XOR key for string encryption for each use case. Before connecting to the C2 server, V3G4 initializes DDoS attack functions, all set for attempting DDoS attacks once the connection is ready.

Mirai Variant V3G4 can have a harsh security impact on affected systems after successful vulnerability exploitation, leading to RCE and further attacks, which requires ultra-responsiveness from cyber defenders. 

Reach 800+ Sigma rules to proactively detect exploitation attempts of current and emerging CVEs and always stay one step ahead of adversaries. Get 140+ Sigma rules for free or gain from relevant Premium detections of your choice with On Demand at https://my.socprime.com/pricing/.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts