IZ1H9 Mirai-Based Botnet Enhances its Arsenal with 13 New Exploits

New exploits added

• Four of these flaws concern D-Link devices. 
• Eight other exploits target arbitrary command execution flaws belonging to products from Geutebruck.
• One flaw tracked as CVE-2019-19356 targets Netis WF2419. 
• The arsenal of IZ1H9 also includes an exploit for a command injection vulnerability (CVE-2023-23295) in Korenix JetWave routers, one for remote code execution vulnerability (for CVE-2019-19356) in Netis WF2419 wireless routers, and another for a command injection issue (CVE-2021-36380) Sunhillo SureLine application.
• Additionally, the botnet incorporates exploits 12 command execution vulnerabilities affecting TOTOLINK routers.

Infection process

• After exploiting one of the aforementioned CVEs, a IZ1H9 botnet payload is injected into the device. 
• This payload contains a command that instructs the device to download a shell script downloader named "l.sh" from a specific URL.
• When the downloaded script is executed, it first deletes logs to hide any malicious activity. 
• It then retrieves bot clients that are designed to work on different system architectures.
• After completing these actions, the bot establishes communication with a C2 server to launch different types of DDoS attacks such as UDP, UDP Plain, HTTP Flood, and TCP SYN.

Conclusion