Pierluigi Paganini April 10, 2019

Palo Alto Networks researchers discovered a new variant of the Mirai malware that is targeting more processor architectures than previous ones.

Mirai botnet continues to be one of the most dangerous malware in the threat landscape, experts at Palo Alto Networks discovered a new variant that targets more processor architectures than before.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices. which allows it to attack a wider range of Internet of Things (IoT) devices,

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018. A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

Samples recently discovered were compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.

“In late February 2019, Unit 42 discovered Mirai samples compiled for new processors/architectures not previously seen before.” reads the analysis published by Palo Alto Networks.

“Unit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.”

The innovations introduced in the latest version should rapidly increase the number of infections worldwide making the Mirai botnet even more dangerous.

In addition to the being compiled for these new architectures, experts pointed out that new samples also implement a new encryption algorithm that is a modified version of the standard byte-wise XOR used in the original Mirai source code.

“It uses 11 8-byte keys, all of which are cumulatively byte-wise XOR-ed to get the final resulting key.” continues the analysis.

The new samples also use a new “TCP SYN” DDoS attack option called
“attack_method_ovh.”

Experts discovered the new Mirai sample on a single IP that was exposing them via an open directory, but on February 22, 2019, attackers updated the server configuration to hide the file listing.

“Prior to the update on February 22, the same IP was hosting Mirai samples containing the following exploits known to be used in previous versions of Mirai. The presence of these exploits in both previous versions of Mirai and our newly discovered samples help show the tie between the two are likely used by the same attacker in this case. ” continues the analysis.

The exploits discovered by the experts targeted a ThinkPHP RCE flaw, a D-Link DSL2750B OS command injection flaw, an RCE in Netgear network devices, a flaw in Realtek in SOHO devices (CVE-2014-8361), and the Huawei router vulnerability tracked as CVE-2017-17215.

The improvements observed by the experts will expand the number of potential targets giving the attackers more DDoS firepower and posing a severe risk to the Internet infrastructure.

Further technical details, including Indicators of Compromise (IoCs) are included in the analysis published by Palo Alto Networks.

Pierluigi Paganini

(SecurityAffairs – Mirai, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]