Mukashi malware: What it is, how it works and how to prevent it | Malware spotlight
Introduction
Learning from the past can be an important part of future success in any endeavor, including cyberattacks. Attack groups observe this concept and apply it when they create new attack campaigns before they are released into the wild.
Mukashi is an example of a malware that uses what has worked well for attackers in the past, wrapped up as a more narrowly focused variant. This article will detail the Mirai variant known as Mukashi and explore what it is, how it works and how to prevent it. Although Mukashi is fueled by the successes of Mirai, take heart — it can be shut down in its tracks just like its predecessor.
Become a certified reverse engineer!
What is Mukashi?
Mukashi is a variant of the Mirai malware family, which is known for targeting IoT devices. The original Mirai was described as a classic case of racketeering: the creators infected potential clients with Mirai and then would offer their services to remove the threat. The malware would scan IoT devices on a network for vulnerabilities and enslave the vulnerable devices (especially those that were still using their default factory credentials).
What makes Mukashi different from Mirai is that Mukashi exploits a specific vulnerability in one certain vendor’s network storage device.
In February 2020, a remote code execution vulnerability was discovered in Zyxel network-attached storage devices (NAS), CVE-2020-9054, as a zero-day vulnerability. It has been given a CVE rating of 9.8 and is regarded as being critical. According to Krebs on Security, there are around 100 million Zyxel devices deployed around the world, and Zyxel devices with a firmware version of 5.21 or less are vulnerable.
Mukashi takes advantage of CVE-2020-9054 to turn certain Zyxel NAS devices into an unwitting botnet of zombies. This vulnerability was first discovered by Palo Alto Networks on March 12, 2020, when a threat actor attempted to drop a shell script into a vulnerable device’s TMP directory and execute the script undetected.
How does Mukashi work?
Although there has not been a racketeering element reported in cases of Mukashi infection, it does act very much like Mirai and other Mirai variants. Mukashi scans the internet for IoT devices with vulnerabilities such as (first and foremost) Zyxel NAS devices, digital video recorders (DVRs), security cameras and other connected devices. These devices often use factory-default and commonly-guessed passwords. Devices with this level of weak security are sitting ducks for attackers.
Technically defined as a bot, Mukashi first decodes credentials based upon previous experience with similar hosts and other common credentials. Next, Mukashi scans TCP port 23 of IoT hosts and launches brute-force login attempts against these hosts to find successful login credential combinations. If it finds any successful credential combinations, it reports them to the Mukashi C2 server. This message is sent to C2 in the following format:
<host ip addr>:23 <username>:<password>
Before Mukashi carries out any further actions, it first binds to the host’s TCP port 23448 to make sure that only one instance is running on the infected system. This makes it easier to avoid detection, as it would leave less of a digital trail of breadcrumbs to follow. Next, it displays a message stating “Protecting your device from further infections” on the infected host.
Much like other Mirai variants, Mukashi can also receive C2 commands in order to further the attack beyond brute-force attacks. One of the most devastating actions it can perform via C2 command is launching DDoS attacks. Palo Alto Networks researchers have found that Mukashi’s DDoS attack mechanics (TCP, UDP, TCP bypass and UDP bypass) are identical to those used by other Mirai variants. It also has anti-DDoS defense capabilities that add an air of persistence to its respective DDoS attacks.
Mukashi supports more than just DDoS commands. Below is a list of the C2 commands it supports:
- PING
- Killallbots
- Killer
- Scanner
- .udp
- .duprand
- .udpplain
- .udpbypass
- .udphex
- .tcp
- .tcpbypass
- .http
How to prevent Mukashi
Prevention begins with keeping your device updated with the latest security updates. As mentioned earlier, Zyxel NAS devices with firmware versions below 5.21 are most at risk because they are no longer supported. On February 24, Zyxel issued a patch for versions 5.21 and later, and this patch should prevent Mukashi.
Those with a firmware version below 5.21 should get rid of their device and get one that can apply the update. As Krebs on Security said: “If you can’t patch it, pitch it.”
For those that do not have the option to simply “pitch it”, there is another option available. You may be able to download the latest firmware for your Zyxel NAS device and this would get around the compatibility issue mentioned above. Again, if your device is no longer supported, you’ll be out of luck with this option.
The final preventive measure is to change the default login credentials on your device if you haven’t already. This is a standard security measure for any IoT device, as many come preloaded with easily-guessed and commonly-used default credentials.
Conclusion
Mukashi is a variant of the IoT targeting malware Mirai. Much like other Mirai variants, Mukashi scans IoT devices for vulnerabilities and reports successful login credential combinations to its C2 server.
What makes Mukashi different is that while it is capable of performing this basic IoT malware action, it specifically targets a remote code execution vulnerability of Zyxel NAS devices below firmware version 5.21. By following the preventive measures enumerated in this article, you can stop this malware bot from taking advantage of this Zyxel vulnerability.
Become a certified reverse engineer!
Sources
- Zyxel Flaw Powers New Mirai IoT Botnet Strain, Krebs on Security
- Mirai Variant Mukashi Conducts Brute-Force Attacks Against Vulnerable NAS Devices, Security Intelligence
- New Mirai Variant Targets Zyxel Network-Attached Storage Devices, Palo Alto Networks
- New Mirai Malware “Mukashi” Exploit Vulnerable Zyxel Network Storage Devices in Wide, GBHackers on Security
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Mukashi malware: What it is, how it works and how to prevent it | Malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis