Attackers leverage Tor network to operate C2 servers of Mirai
- A new sample of the botnet was found using the Tor network in order to maintain anonymity.
- The new variant also contained 30 hard-coded IP addresses as C2 servers, which is a deviation from the Mirai variants which used one to four IP addresses.
Security researchers came across a new Mirai sample that used the popular Tor network for keeping C2 servers. The sample was spotted by researchers from Trend Micro. The researchers believe that this may be a tactic to maintain anonymity as well as to prevent the C2 servers from being taken down after reported by users. The Mirai sample also relied on random servers that acted as proxies.
The big picture
- In a recent blog, Trend Micro researchers share more details of the new Mirai sample. They found that the sample had 30 hard-coded IP addresses as C2 servers, unlike previous variants of Mirai.
- The new sample used what is known as the SOCKS5 protocol. The researchers found that this protocol was used for socks proxies to the Tor network.
- Random servers were used as proxies and relayed information to a C2 server.
- The sample also scanned for random IP addresses with TCP ports 9527 and 34567. These are believed to be connected to IP cameras and Digital Video Recorders (DVRs).
- Apart from these features, it exhibited similar characteristics apparent in previous Mirai variants such as using XOR encryption and the same byte sequence.
Trend Micro researchers suggest that increasingly IoT malware may rely on Tor going forward.
“While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable,” wrote the researchers.