A new variant of the Mirai malware has been observed exploiting vulnerabilities in Avtech cameras and Huawei routers to ensnare the devices into a botnet, security firm Qualys reports.  

Dubbed Murdoc Botnet, the malware has been actively targeting Avtech and Huawei devices for roughly six months. According to Qualys, at least 1,300 IPs have been active as part of the campaign.

The botnet’s operators use more than 100 servers for command-and-control (C&C), which are tasked with establishing communication with the compromised hosts and with distributing the Mirai malware.

Murdoc has been targeting Avtech AVM1203 IP cameras affected by CVE-2024-7029, a high-severity bug leading to remote code execution (RCE).

The issue came to light on August 1, 2024, when the US cybersecurity agency CISA warned that it had been exploited in the wild as a zero-day and that Avtech had not responded to attempts to get the bug patched.

In late August, Akamai reported that the flaw was already exploited by a Mirai-based botnet, and Censys warned a week later that roughly 38,000 internet-accessible Avtech cameras were potentially vulnerable.

The Murdoc botnet, Qualys says, was also seen exploiting CVE-2017-17215, a Huawei HG532 router vulnerability that has been targeted by Mirai-based botnets for more than half a decade.

The botnet exploits vulnerable devices to fetch next-stage payloads, which include ELF and shellscript files that, once executed, allow the C&C servers to load the Murdoc malware.

The same as most Mirai-based botnets out there, Murdoc allows threat actors to launch distributed denial-of-service (DDoS) attacks.

According to Qualys, most of the observed Murdoc infections are in Malaysia, followed by Thailand, Mexico, and Indonesia. The company has identified over 300 Murdoc samples to date.

To stay protected, organizations and individuals are advised to always monitor devices for suspicious events and network traffic, to exercise caution when running scripts from unknown or untrusted sources, and to keep their devices and software always updated.

Related: Botnet of 190,000 BadBox-Infected Android Devices Discovered

Related: Juniper Warns of Mirai Botnet Targeting Session Smart Routers

Related: Discontinued GeoVision Products Targeted in Botnet Attacks via Zero-Day

Related: Recent Zyxel NAS Vulnerability Exploited by Botnet