Security experts at the antivirus firm Dr.Web discovered a new strain of the Mirai bot targeting more ports, and it is a Windows version of the popular IoT malware.
The Windows version of the Mirai bot was being used by some criminals to infect IoT devices and carry out DDoS attacks through the spreading of the Mirai Linux malware.
“One of the recent developments on the Mirai malware front was discovered by Russian cyber-security firm Dr.Web, whose experts came across a Windows trojan built with the sole purpose of helping Mirai spread to even more devices” wrote BleepingComputes.com.
The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.
It infected thousands of routers and IoT devices, including DVRs and CCTV system). When the Mirai bot infects a device, it chooses random IPs and attempts to log via the Telnet and SSH port using a list of admin credentials.
Back to the present, the researchers from Dr. Web dubbed the threat Trojan.Mirai.1.
“A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.” states Dr. Web.
“When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports.”
Unlike the original Mirai Linux malware, Trojan.Mirai.1 scans more ports.
“The Trojan can address the following ports:
* 22 * 23 * 135 * 445 * 1433 * 3306 * 3389
When the Trojan.Mirai.1 succeeds infecting a new device, if the device runs the Linux OS, it executes a series of commands, which end up with the creation of a new DDoS Mirai bot. Instead, if the device that has been infected is is running the Windows OS, it releases a copy of itself.
“It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.” continues the analysis.
“The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.”
Below some Trojan.Mirai.1’s hash in SHA1:
Written by: @GranetMan
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Mirai bot, IoT)
[adrotate banner=”13″]
On the second day of Pwn2Own Ireland 2024, researchers demonstrated an exploit for the Samsung…
Cisco patched vulnerabilities in ASA, FMC, and FTD products, including one actively exploited in a…
The "FortiJump" flaw (CVE-2024-47575) has been exploited in zero-day attacks since June 2024, impacting over…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiManager flaw to its Known Exploited…
Resecurity reports a rise in political content related to the 2024 US elections on social…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft SharePoint flaw to its Known Exploited…
This website uses cookies.