Malware

A new Cross-Platform Mirai Variant appeared in the wild

A new cross-platform Mirai variant appeared in the threat landscape, this one has been created using an open-source project.

Security experts from Symantec have spotted a new cross-platform Mirai variant that has been created with an open-source project.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

Now, researchers from Symantec have discovered a Mirai variant that could target multiple platforms, the sample they analyzed has been built using the open-source project called Aboriginal Linux.

The new variant could be easily used to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

“While this is similar behavior to the Mirai variants we’ve seen so far, what makes it interesting is the compiled binary. These variants have been created by leveraging an open-source project called Aboriginal Linux that makes the process of cross-compilation easy, effective, and practically fail-proof.” reads the analysis published by Symantec.

“It should be noted that there is nothing malicious or wrong with this open-source project, the malware authors are once again leveraging legitimate tools to supplement their creations, this time with an effective cross compilation solution.”

The author of the new Mirai variant chose Aboriginal Linux to allow the easy compilation of the code that could be used to target a variety of devices, including routers, IP cameras, and Android devices.

“Given that the existing code base is combined with an elegant cross-compilation framework, the resultant malware variants are more robust and compatible with multiple architectures and devices, making it executable on a wide variety of devices ranging from routers, IP cameras, connected devices, and even Android devices.” continues Symantec.

According to the experts, as many other Mirai infections, it starts with a shell script on a vulnerable device. That shell script is used to attempt to download and execute individual executables until it finds an architecture compliant its code.

Once the Mirai bot has infected the system, it will attempt to spread to devices with default credentials or vulnerabilities. The Symantec researcher executed the sample in a contained environment and observed it attempting to scan more than 500,000 IP addresses generated through the random generation process.

“The remainder of the malware’s functionalities are consistent with known Mirai behavior. For example, when I executed the sample in a contained environment, it attempted to scan more than 500,000 IP addresses generated through the random generation process previously described, and then tried to send raw packet data over port 23.” continues the report.

This last variant demonstrates the abilities of malware authors that can leverage legitimate open-source software to improve their malicious codes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mirai Variant, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

7 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

2 days ago

This website uses cookies.