BleepingComputer reports that intrusions involving a new Mirai-based botnet have been targeting Teltonika RUT9XX routers impacted by the CVE-2018-17532 flaw, TP-Link devices affected by CVE-2023-1389, and DigiEver DS-2105 Pro network video recorders with a yet-to-be patched remote code execution vulnerability as part of an attack campaign believed to have commenced in September.
After facilitating command injection through DigiEver NVR's "/cgi-bin/cgi_main. cgi" URI, threat actors proceeded to retrieve the new Mirai variant — which features multi-platform support, as well as ChaCha20 and XOR encryption — that allows the compromised device to be leveraged in distributed denial-of-service attacks, according to a report from Akamai.
Additional analysis showed similarities between the new attacks and intrusions initially disclosed by TXOne researcher Ta-Lun Yen at last year's DefCamp security conference.
"Although employing complex decryption methods isn't new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators. This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original Mirai malware source code release," said Akamai researchers.