Variation of Mirai DDoS Malware Broadens Target Scope with 13 Router Vulnerabilities

A botnet-driven DDoS malware, known as IZ1H9 and based on Mirai, has incorporated thirteen new exploits to target Linux-based routers and routers from manufacturers like D-Link, Zyxel, TP-Link, TOTOLINK, and others.

Researchers have noted a surge in exploitation attempts, particularly during the first week of September, with tens of thousands of devices being targeted by IZ1H9.

IZ1H9 infects devices, adding them to its DDoS network, and then carries out DDoS attacks on specified targets, likely at the behest of clients who rent its attack capabilities.

The inclusion of more devices and vulnerabilities amplifies the potential for creating a substantial and potent botnet capable of launching devastating attacks on websites. After exploiting known vulnerabilities (CVEs), IZ1H9 injects a payload into the targeted device, which includes a command to download a shell script called “” from a specific URL.

Upon execution, the script erases logs to conceal malicious activity and retrieves bot clients tailored for different system architectures. Additionally, the script alters the device’s iptables rules to block connections on specific ports, making it more challenging to remove the malware.

Following these steps, the bot establishes communication with the command and control (C2) server, awaiting further instructions. Supported commands relate to the type of DDoS attack to launch, encompassing UDP, UDP Plain, HTTP Flood, and TCP SYN.

IZ1H9 includes a data section with preset credentials for use in brute-force attacks. These attacks can aid in spreading to adjacent devices or gaining access to IoT devices lacking a known exploit.

IoT device owners are advised to employ strong administrative credentials, keep their devices updated with the latest firmware, and limit public internet exposure where possible.