New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina

New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina

Newest, researchers discerned an improvement in traffic scanning ports 2323 and  IP addresses from Argentina in shorter than a day.

While tracking botnet motion on their honeypot traffic, safety researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new variant of Mirai—the well known IoT botnet malware that wreaked havoc last year.

These targeted port scans are actively scanning for vulnerable internet-connected devices manufactured by ZyXEL Communications using two default telnet credential combinations admin/CentryL1nk and admin/QwestM0dem—to gain root privileges on the targeted devices.

Researchers continue the aforementioned permanent battle is part of a new Mirai variant that has been upgraded to exploit a newly released vulnerability (identified as CVE-2016-10401) in ZyXEL PK5001Z modems.

“ZyXEL PK5001Z devices have zyad 5001 as the superuser password, which makes it easier for remote attackers to obtain root access if a non-root ac password is known the vulnerability description reads.

Mirai is the equivalent IoT botnet malware that hit better Internet companies offline last year by launching massive DDoS attacks against Dyndns, crippling some of the world’s biggest websites, including Twitter, Netflix, Amazon, Slack, and Spotify.



Mirai-based attacks encountered sudden appearance after someone openly released its source code in October 2016. Currently, there are several variants of the Mirai botnet attacking IoT devices.

The special warning of having the source code of any malware in public is that it could allow attackers to upgrade it with newly disclosed exploits according to their needs and targets.

“For an attacker that finds a new IoT vulnerability, it would be easy to incorporate it into the already existing Mirai code, thus releasing a new variant,” Dima Beckerman, a security researcher at Imperva, told The Hacker News.

“Mirai spread itself using default IoT devices credentials. The new variant adds many devices to this list. But, we can’t know for sure what other changes were implemented into the code. In the future, we might witness some new attack methods by Mirai variants.”

That is not the very first time when the Mirai botnet targeted internet-connected devices manufactured by ZyXEL. Specifically, a year ago, millions of Zyxel routers were found vulnerable to a critical remote code execution flaw, which was exploited by Mirai.

Secure Your (Easily Hackable) Internet-Connected Devices

1. Change Default Passwords for your connected devices: If you own any internet-connected device at home or work, change its default credentials. Hold in mind; Mirai malware scans for default settings.

2. Disable Remote Management through Telnet: Go into your router’s settings and disable remote management protocol, specifically through Telnet, as this is a protocol used to allow one computer to control another from a remote location. It should be also used in previous Mirai attacks.

3. Check Software Updates: Last but not least—always keep your internet-connected devices and routers up-to-date with the latest firmware updates and patches

One thought on “New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina”

Leave a Reply

Your email address will not be published. Required fields are marked *