Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

January 8, 2025

A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.

The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.

Exploiting an arsenal of over 20 known security vulnerabilities and weak Telnet credentials for initial access, the malware is known to have been active since February 2024. The botnet has been dubbed "gayfemboy" in reference to the offensive term present in the source code.

QiAnXin XLab said it observed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based Four-Faith to deliver the artifacts as early as November 9, 2024.

The vulnerability in question is CVE-2024-12856 (CVSS score: 7.2), which refers to an operating system (OS) command injection bug affecting router models F3x24 and F3x36 by taking advantage of unchanged default credentials.

Late last month, VulnCheck told The Hacker News that the vulnerability has been exploited in the wild to drop reverse shells and a Mirai-like payload on compromised devices.

Some of the other security flaws exploited by the botnet to extend its reach and scale include CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957.

Once launched, the malware attempts to hide malicious processes and implements a Mirai-based command format to scan for vulnerable devices, update itself, and launch DDoS attacks against targets of interest.

DDoS attacks leveraging the botnet have targeted hundreds of different entities on a daily basis, with the activity scaling a new peak in October and November 2024. The attacks, while lasting between 10 and 30 seconds, generate traffic around 100 Gbps.

The disclosure comes weeks after Juniper Networks warned that Session Smart Router (SSR) products with default passwords are being targeted by malicious actors to drop the Mirai botnet malware. Akamai has also revealed Mirai malware infections that weaponize a remote code execution flaw in DigiEver DVRs.

"DDoS has become one of the most common and destructive forms of cyber attacks," XLab researchers said. "Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users."

The development also comes as threat actors are leveraging susceptible and misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a cryptocurrency miner called PacketCrypt.