What is Masuta? Hacker Nexus Zeta behind Satori botnet creates new Mirai 'master' variant
The Masuta botnet uses a weaponised router exploit to recruit more vulnerable IoT devices and expand.
The hacker behind the Satori botnet, also known as Mirai Okiru, is involved in the creation of a new Mirai variant called Masuta, which means "master" in Japanese. The creator of Satori, who goes by the name Nexus Zeta, has also developed a variant of the Masuta botnet called PureMasuta. This version is considered to be unique because it weaponises a router exploit, allowing the botnet to recruit more vulnerable IoT devices and expand.
Researchers at NewSky Security were able to get their hands on Masuta's source code in an invite-only dark web forum, which led them to uncover the link between Satori and Masuta. In December, Nexus Zeta was found exploiting a zero-day flaw in Huawei routers to escalate Satori attacks. Earlier this month, the malware code for the Satori botnet was also released on Pastebin for free.
According to NewSky Security researchers, since September 2017, Masuta attacks have soared twelve-fold. The researchers found that both Masuta and PureMasuta share the same server, hinting that PureMasuta may be a more recent and evolved version of Masuta.
They also believe that the proof of concept of the weaponised exploit used by PureMasuta could be leveraged in attacks by other hackers as it is publicly available.
According to the researchers, although Nexus Zeta was previously not considered as a very advanced hacker, his/her involvement in the creation of the Masuta botnet variants suggests that he/she may be more skilled than previously thought.
"Nexus Zeta is not a one-hit wonder creator of Satori, but also has been involved in the creation of the Masuta botnet," NewSky Security researcher Ankit Anubhav said in a report.
"The continued evolution of the original IoT botnet, Mirai, is no surprise. Early reports of a new botnet variant, named 'Masuta', show how the initial Mirai simple password brute-force methods, which are still employed, are now being supplemented with more sophisticated vulnerability exploits," Sean Newman, Director of Product Management at Corero Network Security, told IBTimes UK.
"This progression is enabling a broader range of devices, from a wider range of more well-known vendors to be recruited into botnets, ready to be exploited for various nefarious purposes, including DDoS attacks," Newman added.