Introduction

Learning from the past can be an important part of future success in any endeavor, including cyberattacks. Attack groups observe this concept and apply it when they create new attack campaigns before they are released into the wild. 

Mukashi is an example of a malware that uses what has worked well for attackers in the past, wrapped up as a more narrowly focused variant. This article will detail the Mirai variant known as Mukashi and explore what it is, how it works and how to prevent it. Although Mukashi is fueled by the successes of Mirai, take heart — it can be shut down in its tracks just like its predecessor. 

What is Mukashi?

Mukashi is a variant of the Mirai malware family, which is known for targeting IoT devices. The original Mirai was described as a classic case of racketeering: the creators infected potential clients with Mirai and then would offer their services to remove the threat. The malware would scan IoT devices on a network for vulnerabilities and enslave the vulnerable devices (especially those that were still using their default factory credentials).

What makes Mukashi different from Mirai is that Mukashi exploits a specific vulnerability in one certain vendor’s network storage device. 

In February 2020, a remote code execution vulnerability was discovered in Zyxel network-attached storage devices (NAS), CVE-2020-9054, as a zero-day vulnerability. It has been given a CVE rating of 9.8 and is regarded as being critical. According to Krebs on Security, there are around 100 million Zyxel devices deployed around the world, and Zyxel devices with a firmware version of 5.21 or less are vulnerable.

Mukashi takes advantage of CVE-2020-9054 to turn certain Zyxel NAS devices into an unwitting botnet of zombies. This vulnerability was first discovered by Palo Alto Networks on March 12, 2020, when a threat actor attempted to drop a shell script into a vulnerable device’s TMP directory and execute the script undetected.

How does Mukashi work?

Although there has not been a racketeering element reported in cases of Mukashi infection, it does act very much like Mirai and other Mirai variants. Mukashi scans the internet for IoT devices with vulnerabilities such as (first and foremost) Zyxel NAS devices, digital video recorders (DVRs), security cameras and other connected devices. These devices often use factory-default and commonly-guessed passwords. Devices with this level of weak security are sitting ducks for attackers. 

Technically defined as a bot, Mukashi first decodes credentials based upon previous experience with similar hosts and other common credentials. Next, Mukashi scans TCP port 23 of IoT hosts and launches brute-force login attempts against these hosts to find successful login credential combinations. If it finds any successful credential combinations, it reports them to the Mukashi C2 server. This message is sent to C2 in the following format:

<host ip addr>:23 <username>:<password>

Before Mukashi carries out any further actions, it first binds to the host’s TCP port 23448 to make sure that only one instance is running on the infected system. This makes it easier to avoid detection, as it would leave less of a digital trail of breadcrumbs to follow. Next, it displays a message stating “Protecting your device from further infections” on the infected host. 

Much like other Mirai variants, Mukashi can also receive C2 commands in order to further the attack beyond brute-force attacks. One of the most devastating actions it can perform via C2 command is launching DDoS attacks. Palo Alto Networks researchers have found that Mukashi’s DDoS attack mechanics (TCP, UDP, TCP bypass and UDP bypass) are identical to those used by other Mirai variants. It also has anti-DDoS defense capabilities that add an air of persistence to its respective DDoS attacks. 

Mukashi supports more than just DDoS commands. Below is a list of the C2 commands it supports:

  • PING
  • Killallbots
  • Killer
  • Scanner
  • .udp
  • .duprand
  • .udpplain
  • .udpbypass
  • .udphex
  • .tcp
  • .tcpbypass
  • .http

How to prevent Mukashi

Prevention begins with keeping your device updated with the latest security updates. As mentioned earlier, Zyxel NAS devices with firmware versions below 5.21 are most at risk because they are no longer supported. On February 24, Zyxel issued a patch for versions 5.21 and later, and this patch should prevent Mukashi. 

Those with a firmware version below 5.21 should get rid of their device and get one that can apply the update. As Krebs on Security said: “If you can’t patch it, pitch it.” 

For those that do not have the option to simply “pitch it”, there is another option available. You may be able to download the latest firmware for your Zyxel NAS device and this would get around the compatibility issue mentioned above. Again, if your device is no longer supported, you’ll be out of luck with this option.

The final preventive measure is to change the default login credentials on your device if you haven’t already. This is a standard security measure for any IoT device, as many come preloaded with easily-guessed and commonly-used default credentials.

Conclusion

Mukashi is a variant of the IoT targeting malware Mirai. Much like other Mirai variants, Mukashi scans IoT devices for vulnerabilities and reports successful login credential combinations to its C2 server. 

What makes Mukashi different is that while it is capable of performing this basic IoT malware action, it specifically targets a remote code execution vulnerability of Zyxel NAS devices below firmware version 5.21. By following the preventive measures enumerated in this article, you can stop this malware bot from taking advantage of this Zyxel vulnerability.

 

Sources

  1. Zyxel Flaw Powers New Mirai IoT Botnet Strain, Krebs on Security 
  2. Mirai Variant Mukashi Conducts Brute-Force Attacks Against Vulnerable NAS Devices, Security Intelligence
  3. New Mirai Variant Targets Zyxel Network-Attached Storage Devices, Palo Alto Networks
  4. New Mirai Malware “Mukashi” Exploit Vulnerable Zyxel Network Storage Devices in Wide, GBHackers on Security