New Mirai variant targets new devices for botnet including SD-WAN

News by Rene Millman

Malware looks for SD-WAN equipment, smart home controllers and wireless presentation devices

A new variant of Mirai has been discovered that uses exploits against a wide range of embedded devices.

According to a blog post by security researchers at Palo Alto Networks, the malware targets devices ranging from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.

Initially, Mirai made use of default credentials to gain access to devices. But recent samples have been observed making use of publicly available exploits to propagate and run on vulnerable devices.

Researchers said that the latest variant contains a total of 18 exploits, eight of which are new to Mirai. The malware also includes four exploits designed to compromise devices such as LG Supersign TVs, WePresent WiPG-1000 Wireless Presentation Systems, Belkin WeMo devices, and MiCasaVerde VeraLite Smart Home Controllers.

They added that the new variant had other distinguishing features. First, the encryption key used for the string table is 0xDFDAACFD, which is the equivalent of a byte wise XOR with 0x54, based on the standard encryption scheme (as implemented in the toggle_obf function) used in the original Mirai source code.

Second, there are several default credentials used for brute force researchers did not come across previously in their research.

This latest variant uses two domains for C2, at different ports in the different version.

"While the two domains don’t currently resolve to any IP, a search on Shodan for the IP address hosting the samples, indicates port 17 at that address was used for C2 at some point of time," said researchers.

The directory hosting the malware was updated a couple of times, before the final version was uploaded at 26-May-2019 10:05 (server time). Each of the updates were minor where the attackers either edited C2 port numbers or slightly updated the payload, added researchers.

Researchers said that this newly discovered variant is a continuation of efforts by Linux malware authors to scout for a wider range and thus, larger number, of IoT devices to form larger botnets thereby affording them greater firepower for DDoS attacks.

"Based on the results observed by using such variants, the exploits that are more effective ie the ones that infect a greater number of devices are retained or reused in future variants whereas the less effective ones are retired or replaced by malware authors with other exploits," said researchers.

Tim Mackey, senior technical evangelist at Synopsys, told SC Media UK that regular IT audits of IoT networks should then be performed to ensure only known devices are present and with the devices identification mapped back to an asset inventory containing a current list of firmware version and a list of open source components used within that firmware.

"This open source inventory can then be used to understand when an open source vulnerability impacting a library used within the firmware has a published vulnerability. Armed with this information, a proactive update and patching model can be created for corporate IoT devices," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop