ELEVEN11 Botnet Mirai Variant Targeting NVMS-9000 Devices

The ELEVEN11 botnet, a Mirai variant, has been identified as the culprit behind a significant DDoS attack that disrupted X/Twitter for 1-2 days. This botnet has compromised around 400,000 devices globally, with 80,000 located in the U.S. The primary targets are TVT-NVMS-9000/RST recorders, exploiting control ports such as 1700, 6036, and 17001. The botnet leverages a TCP payload to query sensitive credentials and hardware versions, specifically using the `queryBasicCfg` command.

You Should Know:

Exploited Commands in NVMS-9000:
queryBasicCfg: Queries user credentials and hardware version.
queryEmailCfg: Retrieves SMTP configuration.
queryUserList: Fetches all user credentials in clear text.
queryPPPoECfg: Obtains PPPoE configuration.

YARA Rule for Detection:

rule Mirai_ELEVEN11_NVMS9000 {
meta:
description = "Detects Mirai variant targeting NVMS-9000 devices"
author = "Subnettoar"
date = "2024-05-01"
strings:
$s1 = "head[...]1111"
$s2 = "head[...]11111111"
$s3 = "<request version=\"1.0\" systemType=\"NVMS-9000\" clientType=\"WEB\" url=\"queryBasicCfg\"/>"
condition:
any of them
}

Shodan Dork:

"head" "1111" Port:1700,6036,17001,9000,8000

Greynoise Dork:

raw_data.web.useragents:"curl/7.88.1" tags:"TVT NVMS9000 Information Disclosure Attempt" classification:malicious

Malware Hosting IP:
```
193.143.1.63:80
```
Commands to Mitigate:
Linux:
```
</li>
</ul>

<h1>Block malicious IPs</h1>

<p>sudo iptables -A INPUT -s 193.143.1.63 -j DROP

<h1>Monitor suspicious ports</h1>

sudo netstat -tuln | grep -E '1700|6036|17001|9000|8000'

<h1>Check for unusual processes</h1>

ps aux | grep -i 'curl|wget'
```
- Windows:
```
</li>
</ul>

<h1>Block IP using Windows Firewall</h1>

New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -Action Block -RemoteAddress 193.143.1.63

<h1>Check open ports</h1>

netstat -an | findstr "1700 6036 17001 9000 8000"

<h1>Monitor processes</h1>

Get-Process | Where-Object { $_.ProcessName -match 'curl|wget' }
```
  What Undercode Say:
  
  The ELEVEN11 botnet is a stark reminder of the persistent threat posed by Mirai variants. Organizations must remain vigilant, regularly update their firmware, and monitor network traffic for unusual patterns. Implementing robust firewall rules and intrusion detection systems can help mitigate such threats. Additionally, staying informed about the latest vulnerabilities and patches is crucial in defending against sophisticated botnets.
  
  Relevant URLs:
  References:
  
  Reported By: Reybencortes 80k – Hackers Feeds
  Extra Hub: Undercode MoN
  Basic Verification: Pass ✅
  
  Join Our Cyber World:
  
  💬 Whatsapp | 💬 Telegram
  Share this:
  Reddit
  LinkedIn
  Threads
  Pinterest
  Bluesky
  WhatsApp
  X
  Telegram
  Facebook
  Email
  Tumblr
  Mastodon
  Print

Listen to this Post

You Should Know:

What Undercode Say:

Relevant URLs:

References:

Join Our Cyber World:

Share this:

Related Posts: