Security researchers came across a new Mirai sample that used the popular Tor network for keeping C2 servers. The sample was spotted by researchers from Trend Micro. The researchers believe that this may be a tactic to maintain anonymity as well as to prevent the C2 servers from being taken down after reported by users. The Mirai sample also relied on random servers that acted as proxies.
The big picture
Trend Micro researchers suggest that increasingly IoT malware may rely on Tor going forward.
“While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable,” wrote the researchers.