InfectedSlurs Botnet

A recently discovered malware botnet, 'InfectedSlurs,' is leveraging two zero-day vulnerabilities for Remote Code Execution (RCE) to compromise routers and video recorder (NVR) devices. This threatening software takes control of the infected devices, incorporating them into a DDoS (Distributed Denial of Service) swarm, likely rented out for financial gain. Analysts suggest that the botnet's earliest signs of activity trace back to late 2022, but it was first uncovered in October 2023.

The InfectedSlurs Botnet Had Managed to Remain Under the Radar

Analysts detected suspicious behavior involving low-frequency probes attempting authentication through POST requests, followed by a command injection endeavor. Utilizing the available data, researchers conducted a comprehensive scan across the Internet and identified that the affected devices were associated with a specific NVR manufacturer. Their findings indicated that the botnet exploits an unreported remote code execution (RCE) vulnerability to gain unauthorized entry to the device.

Upon closer inspection, it was revealed that the malware takes advantage of default credentials found in the vendor's manuals for various NVR products. It utilizes these credentials to install a bot client and carry out other malicious actions. Delving further into the investigation, it was uncovered that the botnet also targets a widely used wireless LAN router, popular among home users and hotels. This router is susceptible to another zero-day RCE flaw exploited by the malware for its activities.

InfectedSlurs Shows Little Improvements Over Mirai

The identified malware, dubbed 'InfectedSlurs' by researchers, earned its name from the utilization of offensive language present in the Command-and-Control (C2, C&C) domains and hardcoded strings. The C2 infrastructure, which also seems to facilitate hailBot operations, displays a notable concentration. This threat is identified as a JenX Mirai variant. Additionally, an investigation has uncovered a Telegram account associated with the cluster, although the account has since been deleted.

The user behind the account shared screenshots revealing close to ten thousand bots using the Telnet protocol and an additional 12,000 bots targeting specific device types/brands such as 'Vacron,' 'ntel,' and 'UTT-Bots.'

Upon analysis, minimal code modifications were identified compared to the original Mirai Botnet, indicating that InfectedSlurs operates as a self-propagating DDoS tool. It supports attacks employing SYN, UDP and HTTP GET request floods.

Similar to Mirai, InfectedSlurs lacks a persistence mechanism. As there is no available patch for the affected devices, temporarily disrupting the botnet can be achieved by rebooting NVR and router devices.