A new development shows a potential shift to using Mirai to target enterprises

Pierluigi Paganini March 19, 2019

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

mirai

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

“In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

“The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Mirai, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment