Pierluigi Paganini July 12, 2019

A new variant of the implements a unique protocol to communicate with Command and Control infrastructure

A new variant of the Miori botnet uses a unique protocol to communicate with C&C infrastructure, it implements a protection mechanism to access the login panel.

The Miori bot borrows the code from the dreaded Mirai malware. it first appeared oi the threat landscape in late 2018 when the bot was spread by exploiting a ThinkPHP remote code execution vulnerability after the exploit code was made publicly available. The Miori bot targets IoT devices having SSH and Telnet services exposed online and that are poorly secured.

Previous Miori variants used to communicate with the C2 server with a binary-based protocol with a login prompt displayed to anyone that knew its IP address.

Current version leverages a text-based protocol and implements protection that drops the connection if a specific string is not provided, it also supports encrypted commands

“When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the cybercriminals behind the variant are wary of security researchers’ usual methods. ” reads the analysis published by Trend Micro.

The message displayed after attempting to connect to the C&C console was “Fuck Off researcher!!”

The new Miori variant supports encrypted commands and is allowed to connect to the command server only after sending the specific string.

The malicious code uses a simple substitution method for the encryption process, the researchers discovered the correspondence table hard-coded in the code used for the decryption.

While the malware waits for instructions, it also searches for vulnerable systems to compromise.

The Miori botnet, similarly to other Mirai variants is used to launch DDoS attacks, it supports both TCP and UDP flood attacks.

The malicious code also supports other additional commands for terminating the attack and for killing its process.

The analysis of the strings found in the sample revealed the URL of the site that offers for sale the source code of the Miori bot. The authors are offering for sale the source code for US$110.

“Regardless of the reason behind its design, the malware’s routine is generally similar to typical Mirai variants: infect vulnerable IoT devices and use them as platforms for launching a DDoS attack. These differences also emphasize the necessity of keeping up with evolving IoT malware in the future.” concludes Trend Micro.

“Users can reduce the impact of such schemes by applying the right patches and updates for their deployed devices. As this malware acts like a typical Mirai variant, making sure to change default credentials with tougher security in mind can reduce the possibility of unauthorized access and success of brute force attacks.”

Pierluigi Paganini

(SecurityAffairs – Miori Botney, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]