2021-03-19-Mirai-variant-update.txt

2021-03-19 (FRIDAY): IOC UPDATE TO UNIT 42 REPORT ON MIRAI VARIANT

TWEET:

- https://twitter.com/Unit42_Intel/status/1373017186818781190

NOTES: 

- From our recent report (see below reference) we are now observing the Mirai variant attempting to exploit CVE-2021-22986, an
  unauthenticated RCE in F5 BIG-IP & BIG-IQ products, and CVE-2020-28188.

- Samples listed below are still live at the time of writing.

REFERENCE: 

- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

SAMPLES:

(read: Date/Time discovered - URL - SHA256 hash)

- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm5 - 76de9dc7d6aedfab1062ad2a739e97a4e58773c41e37aa732861ac4ead745da7
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm6 - ac484d4a5bd7d470d4345f167ff9c9e79f2bee949460948989a7f20e5e3181c4
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm7- 1ff02d986dc1f18a65d133786eba16ee7c614e9dbdd3fbc78129ec0918633e8a
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.arm - a0f32b9bb1c45412bf10f87e2344cd9fff5b405032d1e1be7fb92922c0918ffd
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.m68k - 14303039cfd1b41c90e767cf3f549ac8854f659e13db4a1d0cf93c632cc43612
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.mips - ff17da93817543ac3d8fa8dc150ceaafd03ad89bb4a4218dfa8da4cbd21037bd
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.mpsl - 32b471d5c1e28126f09ed7516cce79653cb2e316009f8e213194f436823cd227
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.ppc - 9eebc34f58c4bd09c242214a8d6ac26e51367d0d2d1b862d79d7ac84a6952148
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.sh4 - 6364dc208073b4e5194741ee5a0f53435d0550e640e85368835a1e1118fcc92e
- Mar 19, 2021, 13:07 UTC - 203[.]159.80.241/bins/dark.x86 - 64a8522dcd5007323bdd1d4e255029c6b9ba47535cb3a668894cf504e3e5c043