Researchers at NewSky Security discovered Masuta, a malware family developed from the source code of Mirai and likely developed by the creator of Satori known as "Nexus Zeta." From Masuta, a second version was created, dubbed PureMasuta, which leverages a flaw in the HNAP protocol in D-Link routers that was originally identified in 2015. If exploited, this flaw can allow remote actors to craft SOAP queries that can bypass authentication and perform arbitrary code execution on the vulnerable devices. According to NewSky Security, both the Masuta and PureMasuta botnets share the same C2 server.
The NJCCIC recommends users and administrators of affected D-Link routers review D-Link's Support Announcement, apply the appropriate patch, configure their routers’ built-in firewall or deploy a firewall at the carrier side, and change any default login credentials.
Reporting and Technical Details:
- January 2018: Masuta : Satori Creators’ Second Botnet Weaponizes A New Router Exploit (NewSky Security)
- January 2018: Satori Author Linked to New Mirai Variant Masuta (Threat Post)