Spawn of Demonbot Attacks IoT Devices


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Threat researchers have spotted a new kind of cyber-attack that uses a variant of Mirai malware to target a port used by IoT devices.

The attack, orchestrated by someone using the alias "Priority," was detected by a team at Juniper Threat Labs. Priority appears to have been up to no good since September 10.

Researchers noted that this new malicious kid on the block is hitting port 60001 using the Demonbot variant of Mirai together with a second variant developed by Scarface.

Port 60001 is a common port used by IoT devices, most notably the Defeway cameras, which make up over 90% of all cameras using this port. These cameras are being installed within networks with no password protection.

"While the users feel they are simply giving themselves access to view their camera from anywhere, it is actually giving attackers the ability to install botnets, such as Mirai, on the device," said Juniper's Jesse Lands.

Priority has been observed attacking ports 5500, 5501, 5502, 5050, and 60001 with a simple command that leverages the MVPower DVR Shell Unauthenticated Command Execution, reported by Unit 42 as part of the Omni Botnet variant of Mirai.