Security analysts discovered a new dangerous botnet based on Mirai that is used in a worldwide attack campaign. It is called Masuta and it has already impacted a lot of devices, at the moment it is believed that an experienced hacker is behind its operations.
The Masuta Botnet Is a Worthy Heir to Mirai
A new worldwide Internet threat has been detected in a large-scale attack campaign. The newest computer virus that has caused security administrators to review their devices. It is called the Masuta Botnet and is built upon the foundations of Mirai. Its name means “master” in Japanese and its source code was found on one of the underground hacker forums. The experts were able to access its configuration file and some of the important components that are part of the malware engine. The thorough analysis reveals that it uses a modified version of the Mirai botnet which has altered the cipher used to initiate the attacks.
The experts utilize a domain called Nexuis IoT Solutions which is used as the primary command and control (C&C) in some of the attacks. It is registered using an email address hosted on Gmail. The experts propose that it is possible that Masuta is being operated by Nexus Zeta, also responsible for the Satori botnet. The reports indicate the that while Masuta isn’t entirely a new threat having been based on older code, it’s attacks are steadily increasing and it can have terrible consequences upon the victims. Like its predecessor it attempts to compromise discovered IoT by attempting access through default or weak credentials.
Masuta BotNet Tactics: The IoT Menace
The Masuta botnet is effective against IoT devices of all types. At the moment there are two variants identified by the experts:
- Masuta Botnet — It uses the same techniques as Mirai by attempting to overcome the security of the target IoT devices using a built-in list of common passwords and default credentials.
- PureMasuta — This is an enhanced version which features a built-in exploit against the EDB 38722 D-Link device.
The exploit contained in the PureMasuta relies on a vulnerability in the HNAP (Home Network Administration Protocol) protocol. By using the contained code it can craft a special query message which is able to bypass the security authentication mechanism. As a result the criminals can run arbitrary code on the target devices.
The Masuta botnet is configured to download and run a script from the C&C server. During the security analysis it was discovered that the malware is capable of implementing other similar exploits such as CVE-2014-8361 and CVE-2017–17215 effective against a wide range of network devices.
The security experts note that the used protocol exploits practically allow the hacker operators to access the compromised machines and manipulate them according to their plans. In comparison with simple attacks these type of attacks allow the hackers to directly take over control of the machines. As a consequence other malware actions are possible, including the following scenarios:
- Trojan Instance — In practice the embedded code can be used to launch a Trojan virus onto the target IoT devices. Such malware allow the hacker operators to spy on the device’s activity in real time as well as take over control of the machines at any given time.
- Traffic Redirect — If the compromised hosts are networking gateway equipment (such as routers and switches) the hackers can relay the traffic through the hacker-operated server. Such actions are used to institute complex man-in-the-middle attacks.
- Malware Delivery — Once the network has been breached the compromised device can be used to deliver various types of viruses to the other connected hosts.
To protect themselves from Masuta botnet infections all computer users should update their IoT devices to the latest available version and monitor their vendor’s security bulletin for upcoming patches.
Computer users can should always be on alert for malware infections. A free scan can reveal such instances and allow for a simple removal.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter