Home News Mukashi Malware Exploits Zyxel NAS Device Vulnerabilities

Mukashi Malware Exploits Zyxel NAS Device Vulnerabilities

Armor Piercer

Mirai malware that turns networked devices into remotely controlled bots has relaunched itself as Mukashi malware and has been actively exploiting Zyxel network-attached storage (NAS) devices’ vulnerability reported under CVE-2020-9054. This remote code execution vulnerability, with a CVE rating of 9.8, was marked “Critical” and made public last month. As per the findings, Zyxel NAS devices with firmware versions 5.21 or less are vulnerable to Mukashi Malware.

How Mukashi Malware Works

This vulnerability was discovered as a zero-day exploit and was soon put up for sale by its handlers. Zyxel NAS devices authenticate username parameter using the weblogin.cgi CGI executable. However, if this parameter contains specific characters, then it may allow command injection due to the privileges Zyxel device web servers possess. A setuid utility that exists in Zyxel devices can be leveraged to compromise by sending a specially crafted HTTP POST or GET request. This vulnerability exploit can eventually lead to remote code execution with root privileges of the Zyxel NAS device.

Mukashi first monitors the TCP port 23 of random hosts and attempts brute force device login using default credentials. On successful login, the Mukashi malware displays a message, “Protecting your device from further infections” and attaches itself to the TCP port 23448 so that only a single instance of the intended program is running on the compromised system.

Researchers at Palo Alto networks found that Mukashi malware is also capable of launching DDoS attacks on the compromised system when it receives the respective command from its C2 server. They said, “Mirai’s and its variants’ DDoS attack mechanics (e.g UDP, TCP, UDP bypass, and TCP bypass) have already been analyzed in-depth, and Mukashi’s DDoS capabilities are no different from these variants. The presence of DDoS defense bypass confirms our speculation from earlier that Mukashi includes certain capabilities from the dvrhelper variant — Mukashi also possesses the anti-DDoS-defense capabilities.”


Threat Summary
Name Mukashi
Threat type Malware, botnet, further capable of launching DDoS attacks
Default Passwords used for credential brute-force attack t0talc0ntr0l4! and taZz@23495859
C2 server 45[.]84[.]196[.]75:4864
C2 commands supported by Mukashi PING, scanner, .udpplain, .tcp, .killallbots, killer, .udp, .udpbypass, .tcpbypass, .udprand, .udphex, .http
Affected Products NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0
Firmware updates available for NAS326, NAS520, NAS540, and NAS542
Affected models with end-of-support NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
Recommended measures
  • Update the firmware immediately as per above information.
  • The latest version of the firmware is available for download.
  • Change default login credentials and use complex or difficult login passwords for any device to avoid brute-force attacks.

Indicators of Compromise (IOCs)

File (Sha256)

8c0c4d8d727bff5e03f6b2aae125d3e3607948d9dff578b18be0add2fff3411c (arm.bot)

5f918c2b5316c52cbb564269b116ce63935691ee6debe06ce1693ad29dbb5740 (arm5.bot)

8fa54788885679e4677296fca4fe4e949ca85783a057750c658543645fb8682f (arm6.bot)

90392af3fdc7af968cc6d054fc1a99c5156de5b1834d6432076c40d548283c22 (arm7.bot)

675f4af00520905e31ff96ecef2d4dc77166481f584da89a39a798ea18ae2144 (mips.bot)

46228151b547c905de9772211ce559592498e0c8894379f14adb1ef6c44f8933 (mpsl.bot)

753914aa3549e52af2627992731ca18e702f652391c161483f532173daeb0bbd (sh4.bot)

ce793ddec5410c5104d0ea23809a40dd222473e3d984a1e531e735aebf46c9dc (x86.bot)

a059e47b4c76b6bbd70ca4db6b454fd9aa19e5a0487c8032fe54fa707b0f926d (zi)