Alert! Mirai Botnet is Active and So are its Dozen Other Variants

Sadly, variants continue to grow

• Ever since the release of the source code by the authors of Mirai, threat actors have been stirring up a lot of attacks by creating their own flavors of IoT botnet armies.
• Although new features and exploits have been constantly added by various threat actors, the structure and goal of the campaigns remain the same.

Assessing Mirai’s prominence

• Fortinet researchers came across many interesting aspects during the course of tracking the activities of IoT botnets.
• A fresh honeypot system used for the purpose was found receiving around 200 attacks per day, summing to nearly 4,700 attacks in just three weeks.
• Some 4,000 of those attacks were linked with Mirai variants.
• Based on the attacks, the top variants used were Hajime, SYLVEON, Kyton, PEDO, DNXFCOW, SORA, Cult, BOTNET, OWARI, and Ecchi.
• Aside from the honeypot, the researchers also found MANGA, a variant of Mirai, actively updating exploit vectors to its list.
• Some of the exploits are for the vulnerabilities found in OptiLink ONT1GEW GPON, Cisco HyperFlex, and Tenda router.

That’s not all

• According to AT&T Alien Labs, there has been a spike in activity from another Mirai variant, Moobot.
• It turns out that it was being pushed out from a new cyber-underground malware domain, known as Cyberium, which has been anchoring a large amount of Mirai variant activity.
• Researchers observed that Moobot is actively scanning for a remote code execution vulnerability in Tenda routers.
• One of the main characteristics of Moobot is a hardcoded string that is used multiple times in code, such as generating the process name to be used while execution.

Conclusion