Discovered in 2017, Imeij, also known as ELF_IMEIJ.A, is a type of Linux ARM malware that exploits an authenticated command injection vulnerability present in internet-connected devices produced by Taiwanese vendor, AVTech. Imeij sends requests for information (RFIs) to random IP addresses to locate devices with unsecured cgi-bin scripts, an AVTech CGI Directory vulnerability present in CloudSetup.cgi. Once a vulnerable device is found, Imeij tricks it into downloading a malicious file and changes the file’s permissions in order to execute it locally on the device. Once executed, the malware gathers system and network activity information. Capabilities of Imeij include executing shell commands, conducting DDoS attacks, and terminating itself. Imeij operates on port 39999 and currently has the potential to impact 130,000 different internet-connected AVTech devices.

Search-Lab researchers discovered this vulnerability in October 2016 and attempted to notify AVTech; however, after several failed attempts, the researchers decided to release the information about this and 13 other vulnerabilities publicly. Five months after the release, the Imeij malware was configured to exploit one of the vulnerabilities. To prevent infection, the NJCCIC recommends disabling port 39999 or discontinuing use of internet-connected AVTech devices.

Reporting and Technical Details

  • October 2016: AVtech Devices Multiple Vulnerabilities (Search-Lab)
  • March 2017: Imeij Botnet Malware Targets IoT Cameras (Silicon)
  • March 2017: New Linux Malware Exploits CGI Vulnerability (Trend Micro)