Connect with us

Hi, what are you looking for?


IoT Security

New Mirai Variant Targets Enterprise IoT Devices

A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise. 

A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise. 

Best known for the massive attacks on OVH and Dyn in late 2016, Mirai is a Linux malware targeting Internet of Things (IoT) devices in an attempt to ensnare them into botnets capable of launching distributed denial of service (DDoS) attacks. 

Numerous variants of the malware have emerged ever since Mirai’s source code leaked in October 2016, including Wicked, Satori, Okiru, Masuta, and others. One variant observed last year was leveraging an open-source project to become cross-platform and target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The newly discovered variant of the botnet targets embedded devices such as routers, network storage devices, NVRs, and IP cameras and leverages various exploits in an attempt to compromise them, Palo Alto Networks’ security researchers have discovered. 

The malware was observed attempting to ensnare WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, two devices intended for use within business environments. 

“This development indicates to us a potential shift to using Mirai to target enterprises. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,” Palo Alto Networks notes

The new threat, the researchers say, also includes some additional exploits in its arsenal. Of the 27 exploits contained within the malware, 11 are new to Mirai, and it can leverage a new set of credentials when attempting to brute force devices. 

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort,” Palo Alto Networks says. 

Advertisement. Scroll to continue reading.

The new threat uses the same encryption scheme characteristic of Mirai, which allowed the researchers to uncover some of the new default credentials that it targets. The malware can scan for vulnerable devices and also includes the ability to launch HTTP Flood DDoS attacks.

The shell script payload is hosted at the compromised website for an “Electronic security, integration and alarm monitoring” business in Colombia. 

The researchers discovered that samples fetching the same payload were hosted at the same IP that had been hosting some Gafgyt samples only a few days before, and that these featured the same name as the binaries fetched by the shell script. 

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both. In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,” Palo Alto Networks concludes. 

Related: Mirai Author Gets House Arrest for DDoS Attacks on University

Related: Mirai Authors Avoid Prison After Working With FBI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights