The IZ1H9 botnet, rooted in the Mirai DDoS (distributed denial of service) malware strain, has updated its arsenal, now aiming at thirteen new vulnerabilities found in Linux-based routers and models produced by D-Link, Zyxel, TP-Link, TOTOLINK, among other manufacturers.

During the early days of September, Fortinet’s team of experts noted a surge in exploitation attempts, with numbers reaching into the tens of thousands, all directed against susceptible devices.

The process initiated by IZ1H9 is straightforward: it takes control of devices, incorporating them into its DDoS network. Subsequently, it orchestrates DDoS offensives, presumably at the behest of customers who contract its services.

Broadening IoT Focus

The scope of devices and vulnerabilities a DDoS malware can exploit directly influences its potential to cultivate a vast and formidable botnet, one that possesses the capability to significantly disrupt online platforms.

In the context of IZ1H9, Fortinet has catalogued its exploitation of vulnerabilities ranging from the years 2015 to 2023 in various devices from different manufacturers.

The ongoing campaign also seeks out a specific vulnerability linked to the “/cgi-bin/login.cgi” pathway, which might impact the Prolink PRC2402M router model.

Details of the Offensive

Once a targeted vulnerability is exploited, the IZ1H9 payload integrates into the device, dispatching a directive to retrieve a shell script downloader, termed “l.sh”, from a designated online source.

The sequence that follows is methodical. The executing script erases traces of its activity, and subsequently retrieves bot clients optimized for diverse system structures. Concluding this sequence, the script reconfigures the device’s iptables regulations, complicating connection through particular ports and making the malware’s extraction a challenging task.

After the completion of these steps, the infected device connects to the C2 (command and control) server, awaiting further instructions. The range of commands primarily pertain to the modality of the DDoS offensive to be unleashed, spanning UDP, UDP Plain, HTTP Flood, to TCP SYN.

Additionally, Fortinet has highlighted that the IZ1H9 variant comes with an embedded section storing fixed credentials. These can potentially be employed in brute-force attacks, either for spreading to neighboring devices or for establishing connections to IoTs lacking a known exploit.

IoT device owners are advised to fortify their admin credentials, keep their devices updated with the most recent firmware versions, and minimize their device’s exposure to the open internet when feasible.