Recently, a wave of unknown malware binaries led Avira security researchers to discover a new variant of the Mirai botnet. Named Katana, the botnet is still in development but already has several advanced modules making it a dangerous threat.
A quick analysis of Katana
Since Mirai’s source code was made public in 2017; it has become easily available to be bought via YouTube channels such as VegaSec, allowing inexperienced hackers to create their botnets.
- Although the botnet is still in the testing and development phase, it is already equipped with several advanced capabilities including layer 7 DDoS, different encryption keys for each source, fast self-replication, and secure C&C.
- Katana botnet, furthermore, includes several classic Mirai features, such as running a single instance, a random process name, editing, and manipulating the watchdog to prevent the device from restarting.
- Katana botnet was seen actively infecting hundreds of devices by exploiting old security vulnerabilities in DLink, GPON, and LinkSys routers.
Recent Mirai-based malware attacks
Previously, hackers have been seen leveraging the leaked Mirai malware code to develop advanced versions of Mirai and using them to launch new attack campaigns.
- In early-October, a hacker named Priority adopted Mirai source code to launch their own version of the malware Demonbot and Scarface to target the Hadoop YARN exploit and DVR exploit, respectively.
- In September, an attack campaign was observed downloading a Mirai variant (Sora) from the attacker’s server against vBulletin pre-auth RCE vulnerability (CVE-2020-17496).
- In July, hackers were seen using the IoT Mirai botnet downloader named Trojan.SH.MIRAI.BOI to scan for exposed Big-IP boxes for intrusion and delivery of the malicious payload.
The adoption and evolution of the Mirai source code for new targets have heightened the risks of further advancement and exploitation by such dangerous malware code. Thus, experts recommend users take extreme care when using IoT devices, such as avoiding default passwords and installing latest firmware updates.