The Mirai Mania: A brief look into the notorious Mirai Botnet and its variants

• Mirai botnet variants include Satori, Okiru, Masuta, PureMasuta, OMG, IoTroop, Wicked, JenX, Fbot, Torii, Miori, and Yowai.
• Mirai infects unsecured internet of things (IoT) devices such as DVR’s, IP Cameras, Wi-Fi routers and many other home automation devices connected to the Wifi network.

Mirai Botnet was first discovered in August 2016 and was named after the Mirai malware. Its source code was leaked in October 2016. Mirai infects unsecured internet of things (IoT) devices such as DVR’s, IP Cameras, Wi-Fi routers and many other home automation devices connected to the Wifi network.

Mirai is one of the most sustained botnet malware variants that has affected a massive number of devices. Its variants include Satori, Okiru, Masuta, PureMasuta, OMG, IoTroop, Wicked, JenX, Fbot, Torii, Miori, and Yowai.

Mirai variant Satori

Satori, a variant of Mirai was discovered in December 2017. Satori exploits vulnerabilities in Realtek's UPNP SOAP interface and Huawei's home gateway. It leverages the device-specific communications protocol to propagate.

Researchers observed numerous attacks exploiting an unknown vulnerability in Huawei HG532 devices across the world, most notably in the USA, Italy, Germany, and Egypt, to name a few in order to create a new variant (Satori) of the Mirai botnet.

Okiru variant targets ARC CPU-Based Devices

Okiru variant was first spotted in January 2018. This variant is encrypted in two parts with telnet bombardment password encrypted. Moreover, this variant can use up to 114 credentials for a telnet attack. Okiru was found to have four types of router attack exploit code hardcoded in it. This variant of Mirai targeted ARC processors.

Masuta and PureMasuta, variants of Mirai Botnet

Mirai variant Masuata and its sub-variant PureMasuta leverages SOAP exploit to persuade targeted devices to run commands issued by the attacker. PureMasuta targeted a specific vulnerability on D-Link routers. It also exploited a known vulnerability in HNAP (Home Network Administration Protocol), which is based on SOAP.

OMG turns IoT devices into proxy servers

Mirai variant OMG turns infected IoT devices into proxy servers which can be used later for various activities. OMG uses 3proxy, an open source proxy server, to turn any infected device into a proxy server. This variant can also turn bots into DDoS attack machines.

OMG turns infected devices into proxy servers and provides a network of proxy servers for rent to several cybercriminals who are looking for DDoS generators, a SPAM network, crypto-jacker scheme, or ransomware empire.

OMG variant has the capability to check for and rewrite firewall rules to ensure that the ports used by the new proxy server can transit the network perimeter without any trouble. It can also look for open ports and kill any processes related to telnet, HTTP, and SSH and use telnet brute-force logins to spread.

Researchers noted that OMG is the first Mirai variant that includes both the original DDoS functionality as well as has the ability to set up proxy servers on IoT devices.

IOTroop and Wicked

A new Mirai variant dubbed IOTroop has infected more than 1 million organizations since its discovery. IOTroop's malware seeks out vulnerabilities in wireless IP camera devices, such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, and exploits them.

IOTroop uses infected IoT devices to scan additional devices and report back to the command-and-control server with its findings. IOTroop also has the ability to launch its malware without human interaction.

In the Wicked Mirai variant, multiple payloads were available for delivery in a package that includes at least three new exploits.

Researchers named the variant as Wicked Mirai, for a string within the code seems to point back to the hacker responsible for the new variant. While analyzing the code, researchers identified malware that scans multiple ports on network devices, using open ports to download copies of different payloads depending on which ports are available.

JenX Mirai variant which does not self-propagate

JenX is a standard variant of the Mirai IoT botnet with one major difference. It does not self-propagate and is able to recruit new Botnet members through central services. JenX takes advantage of the flaws connected to the Satori botnet and leverages hosting services running multiplayer versions of Grand Theft Auto to infect IoT devices.

Researchers noted that JenX variant exploits the CVE-2014-8361 and CVE-2017-17215 vulnerabilities, which impacts certain Huawei and Realtek routers.

Fbot, a Mirai variant that propagates by scanning for devices with an open port 555

Researchers spotted another variant of Mirai dubbed ‘Fbot’ that hunts down a malware called ‘com.ufo.miner’- a variant of ADB.Miner malware which is used to mine for Monero on Android devices.

Fbot propagates by scanning for devices with an open port 555. In addition, Fbot also looks for processes such as SMI, RIG, and XIG, all of which are associated with a crypto mining activity, and proceeds to discard them.

Torii uses six methods for persistence

Torii infects systems that have Telnet exposed and protected by weak credentials. It executes a sophisticated script that determines the architecture of the device and uses multiple commands - 'wget,' 'ftpget,' 'ftp,' 'busybox wget,' or 'busybox ftpget' - to ensure delivery of binary payloads.

Torii uses at least six methods to maintain persistence on a compromised device and runs all of them at the same time:

• Automatic execution via injected code into ~\.bashrc
• Automatic execution via "@reboot" clause in crontab
• Automatic execution as a "System Daemon" service via systemd
• Automatic execution via /etc/init and PATH. Once again, it calls itself "System Daemon"
• Automatic execution via modification of the SELinux Policy Management
• Automatic execution via /etc/inittab

Miori and Yowai exploiting ThinkPHP vulnerability

In December 2018, a bug in the ThinkPHP framework left 45,000 Chinese websites open. A hacker group exploited this ThinkPHP vulnerability to infect servers with the Mirai variant Miori. The hacker group using the Miori malware exploited the bug to manipulate the control panels of home routers and IoT devices.

The ThinkPHP vulnerability which allowed attackers to gain control over web servers was patched in December 2018. However, cybercriminals were spotted exploiting this ThinkPHP vulnerability for botnet propagation by Mirai variant Yowai and Gafgyt variant Hakai.

Researchers noted that Yowai added ThinkPHP vulnerability to its list of infection entry vectors along with the other known vulnerabilities. Furthermore, Yowai listens on port 6 to receive commands from the C2 server.

• Once Yowai successfully infects a router, it uses a dictionary attack to infect other devices.
• The infected router will then become part of a botnet that enables its operator to use the affected devices for launching DDoS attacks.
• Once executed, Yowai displays a message on the users’ console.

Apart from ThinkPHP vulnerability, Yowai has exploited other vulnerabilities such as CVE-2014-8361, a Linksys RCE, CVE-2018-10561, and CCTV-DVR RCE.