{
  "name": "New Aquabot Variant Targeting Mitel SIP Phones",
  "slug": "new-aquabot-variant-targeting-mitel-sip-phones",
  "description": "A new variant of the Mirai-based malware, Aquabot, dubbed Aquabotv3, is actively exploiting Mitel SIP phones through CVE-2024-41710. This variant introduces a novel feature for Mirai-based botnets: reporting back to the command and control server when kill signals are caught on infected devices. The malware spreads through various vulnerabilities, including Hadoop YARN, and targets IoT devices. It's being advertised as a DDoS-as-a-service on platforms like Telegram. The botnet's unique signal handling could be used to observe defensive activities or detect disruptions from competing botnets.",
  "published": "2025-01-29T11:20:55+00:00",
  "created_at": "2025-01-29T11:20:55+00:00",
  "modified_at": "2025-01-29T12:04:45+00:00",
  "created_at_opencti": "2025-01-29T11:20:55+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-01-29",
    "CVE-2018-10561",
    "CVE-2018-10562",
    "CVE-2018-17532",
    "CVE-2022-31137",
    "CVE-2023-26801",
    "CVE-2024-41710",
    "aquabot",
    "aquabotv3",
    "botnet",
    "ddos",
    "iot",
    "mirai"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "91.92.243.233"
      },
      {
        "id": "",
        "name": "89.190.156.145"
      },
      {
        "id": "",
        "name": "213.130.144.69"
      },
      {
        "id": "",
        "name": "193.200.78.57"
      },
      {
        "id": "",
        "name": "193.200.78.33"
      },
      {
        "id": "",
        "name": "154.216.16.109"
      },
      {
        "id": "",
        "name": "173.239.233.47"
      },
      {
        "id": "",
        "name": "173.239.233.46"
      },
      {
        "id": "",
        "name": "173.239.233.48"
      },
      {
        "id": "",
        "name": "141.98.11.175"
      },
      {
        "id": "",
        "name": "141.98.11.67"
      },
      {
        "id": "",
        "name": "http://server2.eye-network.ru/qkehusl"
      },
      {
        "id": "",
        "name": "http://server.eye-network.ru/vsbeps"
      },
      {
        "id": "",
        "name": "http://server.eye-network.ru/pdvr.sh"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/bin.sh"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.sh4"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.x86"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.mpsl"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.m68k"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.mips"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.arm7"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.arm6"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.arm5"
      },
      {
        "id": "",
        "name": "http://raw2.intenseapi.com/Aqua.arm"
      },
      {
        "id": "",
        "name": "http://files1.eye-network.ru/vsbeps"
      },
      {
        "id": "",
        "name": "http://193.200.78.57:33966"
      },
      {
        "id": "",
        "name": "server2.eye-network.ru"
      },
      {
        "id": "",
        "name": "server.eye-network.ru"
      },
      {
        "id": "",
        "name": "raw2.intenseapi.com"
      },
      {
        "id": "",
        "name": "files1.eye-network.ru"
      },
      {
        "id": "",
        "name": "2fserver.eye-network.ru"
      },
      {
        "id": "",
        "name": "theeyefirewall.su"
      },
      {
        "id": "",
        "name": "fuerer-net.ru"
      },
      {
        "id": "",
        "name": "eye-network.ru"
      },
      {
        "id": "",
        "name": "dogmuncher.xyz"
      },
      {
        "id": "",
        "name": "cloudboats.vip"
      },
      {
        "id": "",
        "name": "awaken-network.net"
      },
      {
        "id": "",
        "name": "cardiacpure.ru"
      },
      {
        "id": "",
        "name": "Malicious_Malware_IOCs"
      },
      {
        "id": "",
        "name": "e06c3f5c32aaa422e66056290eb566065afe2ce611fe019f3ba804af939ac1a3"
      },
      {
        "id": "",
        "name": "b5d1cf8b222162567f46281e792145774689c205701a02f3723cf6fb13a429de"
      },
      {
        "id": "",
        "name": "b41e29e745b69f3e8c11d105e7e050fd9e08ff1e22efd97fd4c239a9095d708b"
      },
      {
        "id": "",
        "name": "6a070dc9614dbb9a76092258fdc8bd758f69126c73787dc7d2af9aebd436e7ec"
      },
      {
        "id": "",
        "name": "597b84ba23e16b24ec17288981bbf65c84b6ba3bb07df6620378a1907692fb86"
      },
      {
        "id": "",
        "name": "1e74bcd24e30947bd14cef6731ca63f69df060ba3dcac88b2321171335a6e8ef"
      }
    ],
    "malware": [
      {
        "id": "4b80d0ca-118e-4a3e-80b3-63dd0c01b1a6",
        "name": "Aquabot",
        "slug": "aquabot"
      }
    ],
    "intrusion_sets": [
      {
        "id": "28e83e0e-01c4-411d-83b1-b54a36b6a88c",
        "name": "Aquabot",
        "slug": "aquabot"
      }
    ],
    "attack_patterns": [
      {
        "id": "4b9c2b12-37c3-4b52-a1fb-fcd8c20df2dc",
        "name": "T1574.006"
      },
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "444de5e0-bd7f-4700-b700-26320057dd80",
        "name": "T1110"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd",
        "name": "T1498"
      },
      {
        "id": "306ee8dc-1d64-4916-96be-18060d690ad7",
        "name": "T1499"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/679a1d27e031cf6d34f669e5"
  ]
}