Mirai_ptea_Rimasuta, an old and unpopular Mirai variant, has reappeared, this time exploiting a zero-day vulnerability in RUIJIE routers.
The Mirai_ptea botnet was first discovered in June, abusing an undiscovered vulnerability in KGUARD DVR. Security researchers didn’t seem to think it was a significant concern at the time.
The recently exploited flaw in Ruijie routers is a command injection vulnerability which exists in the RUJIE NBR700 series routers.
According to the research study, this vulnerability affects a vast number of online devices.
NBR1600GDX9, RGNBR700GDX5, and others are some of the identified device versions.
During exploitation, a payload with a URL and various empty variables is used, most likely to mislead security teams. When these variables are removed, the function transforms into a malicious function capable of downloading and running the malware sample.
The threat actors behind Mirai_ptea_Rimasuta, have updated its encryption algorithm and C2 communication protocol; it now uses the TEA algorithm and encrypts other sensitive resource information like Tor Proxy.
It communicates in three steps: first, it establishes a connection with the proxy node, then Tor C2, and communicates with C2 via ptea’s custom protocol to receive commands.
To make the analysis easier to understand, researchers broke it into numerous stages/components in their detailed information.
TEA key: The Mirai_ptea_Rimasuta sample includes two sets of Tiny Encryption Algorithm (TEA) keys, one for encrypting and decrypting sensitive resources and the other for encrypting and decrypting network traffic.
Sandbox detection: The variant looks for a large number of sandboxes or simulators and only infects when its path and filename requirements are met.
C2 variant: Mirai_ptea_Rimasuta employs some specific code to connect to the Tor C2, revealing that the infection uses roughly six C2s.
Change in network protocol: It encrypts network traffic and has a set of hard-coded keys called Net teakey. The key is dynamically created by negotiating with C2s.
Information gathering function: It monitors the infected device’s TCP network connections. The connection information that matches certain requirements is then uploaded to the Reporter (through data mining).
Mirai_ptea_Rimasuta’s new zero-day attack capabilities indicates that the malware’s creators may have grander aspirations in the future. Users of Ruijie routers should also verify and update the system firmware on a regular basis, as well as use a secure password for the management interface.