A new variant based on the infamous Mirai Botnet has been detected as part of active threatening operations. Named Mirai_ptea by malware researchers, the new threat exploits a vulnerability in KGUARD DVR devices. Certain details about the specific vulnerability are kept under wraps but, in short, it allows the threat actors to access the rsSystemServer program on the KGUARD DVR firmware and can then listen on port 56*** at 0.0.0.0 to execute arbitrary system commands remotely, without having the need to authenticate themselves. It should be noted that this particular exploit was fixed in firmware versions released after 2017. Still, the infosec researchers discovered approximately 3,000 vulnerable devices that can be compromised by Mirai_ptea. Most of the already breached devices appear to be located in the United States, followed by Korea and Brazil.
The Mirai Botnet gained notoriety back in 2016, and soon afterward, its source code was leaked on hacker forums effectively turning the threat into open-source malware. Ever since unscrupulous cybercriminals have been creating numerous threats with varying reliance on the original Mirai code. As for Mira_ptea, analysis of its code and activities show that at the host behavior level, it is almost identical to Mirai. The major differences are found in the way Mirai_ptea handles its network traffic. In fact, its name was derived from two of them - the use of a TOR Proxy for communication with the Command-and-Control (C2, C&C) server and the reliance on TEA (Tine Encryption Algorithm) to mask sensitive resource data. The main threatening functionality of Mirai_ptea is carrying out DDoS (Distributed Denial-of-Service) attacks and the threat has been used in active attacks against select targets.