Mirai Botnet's Extended Army Takes Aim at IoT Devices

Mirai botnet has given rise to several variants since its appearance in 2016. Through the years, the outgrowing variants of the botnet accompanied by their ability to target IoT devices have become a major concern for security experts.  

What’s the latest update?

  • Palo Alto researchers found four new variants of Mirai from two recently discovered campaigns. These variants leveraged two command injection vulnerability exploits as attack vectors to deliver the malware. 
  • The first exploit targeted a command injection vulnerability in web service with an NTP server setting feature and the second exploit was associated with a flaw in HTTP request headers.
  • The variants, named Variant One, Variant Two, Variant Three, and Variant Four, possessed the necessary functionality to launch DDoS attacks. However, Variant Four was presented as the most dangerous of all other variants. 

That’s not all

  • In the first week of October, a variant of the Mirai, called Ttint, was uncovered launching attacks against Tenda routers.
  • One of its kind, the variant came with DDoS capabilities, along with RAT and spyware functions. 
  • Overall, Ttint can carry out 10 typical Mirai DDoS attack instructions, along with 12 RAT instructions and 22 custom C2 commands.  
  • During the same time period, researchers also spotted an attack leveraging the Demonbot variant of Mirai, along with a second variant of Mirai developed by Scarface.
  • Launched by the Priority threat actor group, the attack vigorously scanned ports 5500, 5501, 5502, 5050, and 60001 to gain access to devices. 

What to infer from this?

There has, of late, been a resurgence of Mirai-based malware capable of building large botnets through the exploitation of vulnerable IoT devices. This, in turn, has contributed to an uptick in the number of DDoS attacks in past months, compared to the last year. Ttint’s additional capability of turning itself to RAT marks a change for the Mirai world.