New Mirai Variant ‘ShadowV2’ Targets Vulnerable IoT Devices to Create Botnet for DDoS attacks
Published
Key Takeaways
- New threat: A Mirai-based botnet variant, ShadowV2, is actively exploiting multiple vulnerabilities to compromise IoT devices.
- Widespread exploitation: The malware targets known vulnerabilities in products from vendors such as D-Link, TP-Link, and DD-WRT.
- Global impact: Devices worldwide, including in the U.S. and Canada, across the technology, government, and manufacturing industries, were affected.
A new Mirai variant malware, dubbed ShadowV2, is actively exploiting a range of vulnerabilities in Internet of Things (IoT) devices. The malware was observed spreading during a global AWS outage at the end of October, leading researchers to believe the activity was a test run for future large-scale attacks.
Analysis of the ShadowV2 Malware
ShadowV2 is a Mirai-based botnet designed specifically for IoT architectures. Analysis reveals that its structure is similar to that of another Mirai variant, LZRD.
A new FortiGuard Labs report revealed the campaign leverages a downloader script, binary.sh, to deliver the main payload by exploiting known security flaws in devices from several vendors, including:
- DDWRT: CVE-2009-2765
- D-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
- DigiEver: CVE-2023-52163
- TBK: CVE-2024-3721
- TP-Link: CVE-2024-53375
Upon execution, the malware decodes its configuration and connects to a command-and-control (C2) server, silverpath[.]shadowstresser[.]info, to receive commands.
The malware is equipped to launch various Distributed Denial-of-Service (DDoS) attacks, supporting UDP and TCP floods as well as HTTP-level attacks.
The identification of the string "ShadowV2 Build v1.0.0 IoT version" in the code suggests this is a first-generation build developed specifically to compromise and weaponize IoT devices.
Scope of the Global IoT Security Threat
The ShadowV2 campaign demonstrates a significant global IoT security threat, with active exploitation attempts detected worldwide that impact devices in dozens of countries across North and South America, Europe, Africa, Asia, and Oceania, spanning industries such as technology, retail, manufacturing, government, and telecommunications.
The strategic exploitation of IoT device vulnerabilities underscores the critical need for organizations to maintain timely firmware updates and enforce robust security practices to mitigate the risk of being co-opted into a botnet.
In other recent news, a critical TP-Link zero-day vulnerability exposes millions of routers to full system takeover.
Among other news regarding IoT security threats, popular Android TV streaming boxes were linked to botnet activity. In August, the Gayfemboy botnet resurfaced with enhanced evasion tactics, targeting global routers.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular