Murdoc, a Mirai malware variant that exploits cameras and routers

A newly discovered large-scale exploitation campaign using a new Mirai malware variant dubbed Murdoc botnet targets security bugs in AVTECH IP cameras and Huawei HG532 routers.

According to reports, the ongoing cybercriminal activity has expanded capabilities, such as exploiting vulnerabilities to corrupt devices and establishing large botnet networks. Researchers noted that the campaign has been active since July last year and has infected at least 1,300 systems.

Most of the confirmed recorded infections happened in countries such as Malaysia, Mexico, Thailand, Indonesia, and Vietnam.

 

The Murdoc botnet prioritises exploiting specific vulnerabilities.

 

The new Murdoc botnet exploits known security holes, such as CVE-2017-17215 and CVE-2024-7029, to acquire initial access to IoT devices and download the next-stage payload via a shell script.

The script then downloads and executes the botnet malware based on the CPU architecture. The primary objective of these operations is to use the botnet to perform DDoS attacks.

A recent tally revealed that nearly 38,000 AVTECH cameras are exposed online, most of which are in Taiwan, Vietnam, Indonesia, Sri Lanka, and the US.

The development comes weeks after a Mirai botnet variant known as gayfemboy was seen leveraging a reported security bug that has affected Four-Faith industrial routers since early November 2024. On the other hand, Akamai disclosed that malicious actors used CVE-2024-7029 to engage AVTECH devices in a botnet last year.

Recently, facts emerged regarding another large-scale DDoS attack campaign targeting big Japanese firms and banks since the end of 2024. This campaign used an IoT botnet created by exploiting flaws and weak credentials. Other targets include the United States, Bahrain, Poland, Spain, Israel, and Russia.

These attacks commonly include accessing IoT devices and deploying loader malware that retrieves the actual payload before connecting to a C2 server and waiting for further prompts for DDoS attacks and other objectives.

It is recommended that suspicious processes, events, and network traffic generated by the execution of any untrusted binary/script be monitored to counteract such attacks. Lastly, firms and individuals that use such devices should update their firmware to prevent this new campaign from exploiting the vulnerabilities.