SORA Botnet Description
The SORA Botnet is a variant based on the code of the infamous Mirai Botnet. Since Mirai's source code was made public on a hacker forum in 2016, several campaigns involving customized variants of the botnet have been detected. In SORA's case, it was designed to abuse two vulnerabilities. For remote code execution, it exploits CVE-2017-17215, while CVE-2018-10561 gives the malware the ability to manage the infected device.
Once an appropriate device is compromised, a downloader is dropped from the Command-and-Control (C2, C&C) infrastructure set up for the campaign. This first-stage malware is responsible for delivering and executing the actual SORA payload in the second stage of the attack chain.
SORA was deployed alongside another Mirai Botnet variant called UNSTABLE in a campaign targeting Rasilient PixelStor5000 video surveillance storage systems. The specific entry vector was the CVE-2020-6756 vulnerability, which allows the hackers to execute RCE commands through the 'lang' parameter.
As botnets need a sizeable amount of compromised devices, which they turn into bots inherently, to perform their functions, it is not that surprising when the hackers decide to expand their initial range of targets. When critical mass is reached, botnets can cause massive disruptions through Distributed Denial of Service (DDoS) attacks. Indeed, most criminals' goal is to offer their botnet for hire to any potential threat actor who wants to perform such attacks.