skip to Main Content

Cybercrime, there is a new ECHOBOT malware version in the wild

Palo Alto Networks: There’s a new ECHOBOT malware in the wild. The latest Mirai variant contains a total of 71 unique exploits, 13 of these vulnerabilities haven’t been previously seen exploited

There’s a new ECHOBOT malware in the wild. It has been discovered by Palo Alto Networks cyber security experts. Since the discovery of the cybercrime Mirai variant in May 2019, it has resurfaced many times, using new infrastructure, and adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution. Unlike other botnet variants, this one stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique ones, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs to recent vulnerabilities made public as early December 2019. The newly exploits target a range of devices from the usually expected routers, firewalls, IP cameras and server management utilities, to more rarely seen targets like a PLC, an online payment system and even a yacht control web application.

The cyber security experts: The malware, like its predecessors, makes use of the key 0xDFDAACFD for XOR encryption of its strings and of the same domains for Command and Control

According to the cyber security experts, the new ECHOBOT version first surfaced on October 28th, 2019 for a couple of hours, after which it was taken down. It then resurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the samples from October. This latest malware contains a total of 71 unique exploits, 13 of these vulnerabilities haven’t been previously seen exploited in the wild prior to this version. Like its predecessors, this Mirai variant makes use of the key 0xDFDAACFD for XOR encryption of its strings. Furthermore, of the same domains for Command and Control. This choice could possibly imply cybercrime is targeting either legacy devices that are still in use, but probably too old to update due to compatibility issues, and newer vulnerabilities that are too recent for owners to have patched.

Back To Top