Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Mirai Variant Has Bitcoin Mining Capabilities

A newly observed variant of the Mirai malware is abusing infected Internet of Things (IoT) devices for Bitcoin crypto-currency mining, IBM X-Force security researchers warn.

A newly observed variant of the Mirai malware is abusing infected Internet of Things (IoT) devices for Bitcoin crypto-currency mining, IBM X-Force security researchers warn.

Initially spotted in September last year, Mirai was designed to find insecure IoT devices and ensnare them into a botnet primarily used for launching DDoS (distributed denial of service) attacks. Variants of the malware started to emerge after the Trojan’s source code was leaked, and a Windows variant designed to spread the Linux version was spotted earlier this year.

The newest variant moves beyond the initial DDoS capabilities of the botnet, with the addition of a component focused on Bitcoin mining. This crypto-currency has doubled in price over the past half year, trading at more than $1,290 per unit this March, above the November 2013 high of $1,242.

The Bitcoin mining-capable Mirai variant was observed in a short-lived, high-volume campaign at the end of March, targeting Linux machines running BusyBox. The attack focuses on devices such as DVR servers, which usually feature BusyBox with default Telnet credentials that Mirai targets with a dictionary attack brute-force tool.

In addition to the various types of attacks that Mirai bots can perform, such as TCP, UDP, and HTTP floods, the new variant also turns the compromised devices into Bitcoin miner slaves. Because IoT devices usually lack computing power, they can’t create Bitcoins, at least not on their own.

“Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” IBM explains.

IBM researchers found the Mirai dropper in a web console and associated the site to a series of high-volume command injection attacks. They also determined that the website was used as a malware package archive repository and that it was also counting infected victims in real-time. What’s more, the file package also included a Dofloo backdoor and a Linux shell.

Mirai is only one of the malware families to have adopted crypto-currency mining lately, after the Sundown exploit kit started distributing a Monero miner several months ago. Last year, researchers discovered a Go-based Linux Trojan focused on Monero mining.

Related: New Mirai Variant Unleashes 54-Hour DDoS Attack

Related: Mirai for Windows Built by Experienced Bot Herder: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...