Murdoc Botnet Threatens IoT Security Worldwide

Threat Group: - Murdoc Botnet
Threat Type: - Botnet / Malware
Exploited Vulnerabilities: - CVE-2024-7029, CVE-2017-17215
Malware Used: - Murdoc Botnet Variant of Mirai
Threat Score: - High (8.7/10) – Due to its exploitation of IoT vulnerabilities and rapid global spread.
Last Threat Observation: - January 2025

Overview

The Murdoc Botnet, a newly identified variant of the Mirai botnet, is actively exploiting vulnerabilities in AVTECH IP cameras and Huawei HG532 routers. This botnet is being used to compromise devices and build a network of infected systems for Distributed Denial of Service (DDoS) attacks. Recent incidents in January 2025 highlight the botnet’s increasing activity and potential for high-impact attacks. This report provides an in-depth analysis of the Murdoc Botnet’s operations, including its attack vectors, propagation methods, command and control (C&C) infrastructure, and its potential impact. Additionally, mitigation strategies are outlined to help organizations and individuals protect their devices and networks from this emerging threat.

Key Details

Delivery Method:
Murdoc Botnet exploits IoT device vulnerabilities, particularly targeting devices with outdated firmware or default credentials.

Target:
The botnet targets IoT devices, specifically AVTECH cameras and Huawei HG532 routers.

Functions:

• Exploits CVE-2024-7029 for command injection in AVTECH cameras.
• Exploits CVE-2017-17215 for remote code execution in Huawei HG532 routers.
• Propagates using ELF files and shell scripts.
• Establishes robust C&C communication with over 100 servers.
• Executes stealth techniques by deleting payloads post-infection.

Obfuscation:
Deletes payload files after deployment to evade detection.

Attack Vectors

Murdoc Botnet leverages the following vulnerabilities:

Known Indicators of Compromise (IoCs)

IPv4 Addresses:
113[.]98[.]105[.]213
121[.]163[.]127[.]5
204[.]76[.]203[.]3
87[.]121[.]112[.]77
124[.]223[.]106[.]247
182[.]234[.]183[.]31
185[.]216[.]70[.]121
185[.]97[.]255[.]159
45[.]141[.]157[.]124
45[.]202[.]35[.]86
59[.]127[.]196[.]190
77[.]61[.]147[.]141
78[.]134[.]4[.]112
85[.]209[.]43[.]178
89[.]190[.]156[.]211
91[.]92[.]243[.]49
103[.]124[.]107[.]17
103[.]138[.]46[.]11
103[.]30[.]43[.]120
106[.]0[.]51[.]178
114[.]33[.]8[.]73
117[.]54[.]226[.]50
122[.]117[.]142[.]237
124[.]33[.]173[.]242
142[.]179[.]80[.]122
154[.]216[.]17[.]126
154[.]216[.]17[.]169
154[.]216[.]18[.]196
154[.]216[.]19[.]108
154[.]216[.]19[.]225
156[.]96[.]155[.]238
175[.]106[.]11[.]242
181[.]197[.]159[.]183

CVE
CVE-2017-17215
CVE-2024-7029

FileHash-MD5
001ba5bcd535088c420d5a7cc8a2e70e
0142d1ae25f6c186173fd7be20ab0d35
23ee5a8b998de681eb94885abdb35dd6
321367874c11451a5ac8f89551cdf5a7
344202a75c93c712af47bf0c865b38f4
37e97a09ba3e7255c3ce289dc4c951d3
54bc7ded42ad84c533b2559df52fe9ed
6966fbbdf73a15dc33e3cf857be7dd61
769aea7ea26bfc99dd337dbb26191705
7d44dcddfb7b57c777ffa55aae9c2427
802ea21155b88f73bf835d044c6999c3
8bed0b9a5fcf46fdc9d31a669a3f99be
e1ec05d07d1a1527ecc04b4cf910be67
fa25a367264bf80241953c025c172fde
fc453786c874149e665953b442ae9594

FileHash-SHA1
175026bcd9a6a8904ebd4cd29d16a315e984fa60
2cc7b1c76e4468a16eec8480a5fdd106f6019b99
302397b7b6d019eea8725a32b2fbec85e6afdc38
3bf07fd009668719dd6454b705c699d77d589199
66a0abf93b84c549bf1d1b89381f399abec697ee
69e26a445f8eea1ab8b8363d3ff946e9d62eb84f
6e9f999fab67883617bb36082be135b211da5a19
70fc203e3980f87aa451fbc83a846d9a6e642af3
a54334cb3187689457b04ed98d799b15288d029e
b666bad55d0f0b1feff26e4fdef60db6ef67ed12
bd35985f20d2f9f0380b4a6603b08433d784cf41
c860f361ff4531332809ac7db2062e01a64be672
cdc1df4ffb4065a67a671605f1ce39657560b61c
d1b79037f929f318c1669ce39a5c484a9be4161b
f4a4b39a2e162d97074d1b0b50914ecd5538b5f9

FileHash-SHA256
0db611e84182be1d6726c272214ae7977fc19b325ba0fc96f458a37365d7c4f2
10a08485432392fed90f3f3aaa7903566c57df5b27ed329a7d26a5b549d277e9
22ff790406cee6d81e191ef7e344e10bc722821506e5f7979e224747a21d8a87
2c365aded5c3f7422c72261c678b42edb2311ac9b2c0b9af444e5b3c2d734bd0
34881ca6cff31098ed669fc379ca8b9d319aab5f14e0fb7d0b107a20ff1130e9
5234086aff9cd88b6b25fa068a860e91f5faf8d457df60cb207b329c69c27c0d
54fea8da696ddf115893858af924296d9229846cbd8afceca990a381b3363eb3
5577a035d1a5023edc5a404694ff4ed45a6b250bfce00f87a42b087e419970d0
5d6a900988bc42ad3e2b08253f01fa8090d0abc112d06410dd5d4e9f7aa02c42
60dc6802d55f1130f47ee631c245328250951e5d300942177fedae1845ab7912
60fad3d03171353efea70a0e9a0c511d34c3bbd8f9f57bfa6e8d989cd858ba14
61c6767e74615917e29fc2d2342119ec81fa6794752966d4d7c9ef02545a4701
6230cf081bf077de1ad2a42fc0b0f04aeb213855373ebaa26ebff797a5d4096f
6552b87ddc2e6442e163c99e780f2549de5b78b56b8b91d8743ce61c55b1b558
69405c640e224c981555509bd088ef759c584228f989e46d89e83483f9c2e4b7
6b8ef346df6c002aaba3bcf91bed0ce8078a76e4600bcf86c08a6eef80d4c77a
76ebd9695aef87cc975d63b3a7a9ecc7d31bcd53a29e70ba97464a61e102cf52
7b1c7eb73f5d668c11af8f7131883863774902883ad95aa520a1eb203cf50fe1
8f680ed38fa9229b7b3b53bf730526be633ff635c35df8537ef98ffb3e58e170
978167c28a9c8f6f111ad18e1682d904989e8d72020e30144e1c0c8bb7fd3952
99a0ab2a04a9cae3666a4baf52d35b4c623f1f41b5eb1519156ebe02d2afeceb
a49ef0e44fd98c411c6db940018183e9ec06af7f6f3a4c1ae0b92d745e697066
b63c93206417321b6e35e1accb8f667810c3e8a93978070d24f8382cc3d488dd
b8b5efbeaffa06e67f7801476b062926cd3e26ff7d16968d6c4fe6aa8f6856eb
b979fd33cb526a10ce9afbf3855d06c881b1bf55b0b6b1d10ebba5dc0d01c0c2
c0ae1eb249705f61d45ca747c91c02a411557a28792f4064c1d647abb580bc10
c3b9ffca2b7f5c9fdefb39d6c13d657769ec140efd4513842dbc68adbad99efa
c9fe390890a8b0586e8d5ac410685a7c4ed147858b10eb75459fa1afca8dc84d
dc90a8edca7c5185dcca104cee44930f750e48b53d6ee712b3fcd8a6e6305225
e127153563c1e9352067e94b28687828514734d583ca6bd89ad6e9b01be46170
e4504f9329e03f782a75dd10cc4f849e17ef9a116b3b05dcc82e5d82c846ef68
e87ad8c9586eeae7981ca0576764ceeeff93bbfcfa385703c5901b8d86d0194d
f4308b08c0ca971a1420a5dca779d88b8172c29bc7238b723b43bb96d9b9a9e0
f5aa93311d8dcde50d87ec010274fdd7a7653eed51264f0e2e648403ec4177d0
ffa702f8681a58b52e70e445fc4daa8c2e909d6b20ab3eee635959f66672fd27

Mitigation and Prevention

1. User Awareness: Regularly educate users about IoT security best practices.
2. Email Filtering: Block email attachments containing ELF or shell scripts.
3. Antivirus Protection: Use updated antivirus software to detect and block malicious scripts.
4. Two-Factor Authentication (2FA): Enable 2FA for device and network access.
5. Monitor Logs: Implement network monitoring tools to detect unusual traffic patterns.
6. Regular Updates: Apply firmware and security patches to all IoT devices.
7. Change Default Credentials: Use strong and unique passwords for all devices.
8. Disable UPnP: Turn off Universal Plug and Play (UPnP) on routers unless absolutely necessary.

Risk Assessment

The Murdoc Botnet poses significant risks, including:

• Service Disruption: DDoS attacks causing service outages.
• Data Breaches: Compromised devices serving as entry points for further attacks.
• Financial Losses: Recovery costs, lost revenue, and reputational damage.
• Evolving Threat: Continuous updates to the botnet’s capabilities, allowing for increased scale and efficiency of attacks.

Conclusion

The Murdoc Botnet represents an evolving and dangerous threat in the IoT landscape. Leveraging known vulnerabilities, it demonstrates the critical need for robust security practices in managing IoT devices. Recent events in January 2025 highlight its potential for high-impact DDoS attacks, including record-breaking volumes. By understanding its attack vectors and propagation mechanisms, and by implementing proactive measures, organizations and individuals can significantly reduce the risks associated with this botnet. Vigilance and prompt action are essential to safeguard against this and similar threats.

Sources

• Information Security Buzz - The Murdoc Botnet: Reinventing Mirai To Exploit IoT Vulnerabilities
• CIS Center for Internet Security - The Mirai Botnet: Threats and Mitigations
• The Hacker News - Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
• Security Week - Murdoc Botnet Ensnaring Avtech, Huawei Devices
• AlienVault - Indicators of Compromise