UNSTABLE Botnet Description
The UNSTABLE Botnet is yet another botnet variant spawned from the leaked source code of the infamous Mirai Botnet. The dumping of Mirai's source code on a hacker forum back in 2016 has allowed a whole range of cybercriminals - from novices to experienced developers, to take and adjust it according to their needs.
UNSTABLE was deployed alongside another Mirai Botnet variant named SORA in a campaign targeting Rasilient PixelStor5000 video surveillance storage systems. The threat abused the CVE-2020-6756 vulnerability through which the hackers could perform remote code execution commands via the 'lang' parameter.
With both SORA and UNSTABLE being based on the same source code, the two threats share quite a lot of similarities. UNSTABLE, however, appears to a bit more sophisticated as it is equipped with the functionality to exploit the ThinkPHP vulnerability in addition to the two exploits abused by SORA - CVE-2017-17215 and CVE-2018-10561. The ThinkPHP and CVE-2017-17215 vulnerabilities allow for RCE commands, while CVE-2018-10561 gives the hackers access to the compromised device's management.
When it comes to the deployment of botnets, they all have the same goal - to infect and incorporate as many devices as possible. With the greater number of 'bots,' the functionality of the Botnet becomes far more powerful. The hackers can then provide a service fee, they can initiate a Distributed Denial of Service (DDoS) strike, as stated by their client's specifications.