Trojan.SH.MIRAI.BOI is the designation assigned to a custom Mirai botnet downloader. Ever since the Mirai botnet's code was released to the public in 2016, cybercriminals have had the chance to simply take it and add their own modifications to suit their agenda better. The Trojan.SH.MIRAI.BOI is designed to attack the Internet of Things (IoT) devices by scanning for exposed Big-IP boxes, abusing several vulnerabilities, and deploying a threatening payload. The vulnerability that Trojan.SH.MIRAI.BOI mainly focuses on is CVE-2020-5902. At its core, this bug consists of remote code execution (RCE) vulnerability that can impact the Traffic Management User Interface (TMUI) of Big-IP devices. The exploit is threatening extremely, as it allows the hackers to execute arbitrary commands on the infected device by simply sending a GET request with a 'command' parameter to 'tmshCmd.jsp.'
Infosec researchers detected two IP addresses as part of the threats operations. The first one at txxp://18.104.22.168/bins/ acts as an infiltration vector, while hxxp://22.214.171.124 is the Command-and-Control (C2, C&C) server. The host server contained multiple files named SORA, another variant based on the Mirai Botnet that specialized in brute-force attacks, exploitation of RCE vulnerabilities and a shell script file named 'fetch.sh.' The shell script is responsible for contacting the C&C server and delivering the appropriate applications payload. It also sets up the automating execution of the corrupted binary files. Furthermore, through the iptables tool, the script sets up any packets sent to commonly used TCP ports such as the ones for Telnet, the device web panel (HTTP) and Secure Shell (SSH) to be dropped. The possible goal is either to prevent any other malware from infecting the already compromised device or lock the users from accessing the device's management interface.
Apart from the CVE-2020-5902 vulnerability, Trojan.SH.MIRAI.BOI exploits another nine vulnerabilities, three of which did not have a CVE identification when the threat was detected.