Experts at Trend Micro have discovered a new Mirai Botnet that uses a Command and Control hidden in the Tor Network, a choice that protects the anonymity of the operators and makes takedowns operated by law enforcement hard.
“Barely a month since discovering a new Miori variant, we found another new Mirai sample through our research.” reads the analysis published by Trend Micro. “Compared to previous variants, however, we found this sample distinct because the
The malware’s command center is hidden to make takedowns a more complicated process. Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.
Since the code of the Mirai was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG are just the last variants appeared online in 2018.
The new variant spotted by Trend Micro implements the same features as previous ones, it targets TCP ports 9527 and 34567, a circumstance that suggests its operators aim to target IP cameras and DVRs.
The configuration includes possible default credentials that can be used to infect other hosts.
The communication protocol implemented in this sample is the same as previous Mirai variants except for the use of the socks5 connection. Experts also identified a byte sequence indicative of a DDoS command sent from the C&C server via a UDP flood attack to target a specific IP address.
“Looking for related samples and information elsewhere for comparison, other open sources such as VirusTotal yielded a report of the same hash value from the same URL source, which was an open directory also hosting other samples for
Experts find this particular Mirai Botnet sample interesting for the deployment of the C&C server in Tor, likely to evade tracking of its IP address and avoiding being shut down by law enforcement. This is reminiscent of the BrickerBot
“While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving
The presence of another distribution server and other samples designed for other device architectures possibly implies that these malicious actors intend to apply this operation in a larger scale. However, detection systems with signature and behavior-based mechanisms can still detect and block these malware intrusions.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Mirai botnet, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]