Researchers from Qihoo 360 Netlab have reported that a new variant of the Mirai malware has appeared, infecting vulnerable ZyXEL devices and adding them to the botnet.
To infect devices, the malware uses their default credentials: admin/CenturyL1nk and admin/QwestM0dem.
Starting on November 22, Netlab researchers observed, in addition to mass attempts to access devices using the above credentials, a sharp increase in network traffic on Telnet ports 23 and 2323. The use of this network protocol is a characteristic feature of Mirai.
Most identified sources of scanning requests – almost 100,000 IP addresses – are located in Argentina. This could mean that the malware was used to attack specific Argentinian companies. However, at this time, there is no information as to whether this activity has led to any network failures. By November 28, the command-and control servers had been successfully blocked.
Source: Qihoo 360 Netlab