A recently discovered variant of the Mirai malware is targeting more processor architectures than before, which allows it to attack a wider range of Internet of Things (IoT) devices, Palo Alto Networks security researchers reveal.
Targeting IoT devices in an attempt to ensnare them into a botnet capable of launching distributed denial of service (DDoS) attacks, the malware has been around since late 2016, with numerous variants observed since (such as Wicked, Satori, Okiru, Masuta, and others).
Mirai’s source code was publicly released in October 2016, and various threat actors built their own iterations of the malware in order to target additional device types. A version that emerged earlier this year aims at devices specifically intended for businesses.
The newly observed Mirai samples, Palo Alto Networks reports, are compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors, which shows that the threat’s developers continue to innovate.
“If the latest innovations lead to an increase in the number of infected devices, that means that Mirai attackers would have access to additional firepower for use in denial of service attacks,” Palo Alto Networks points out.
The new samples employ a modified version of the byte-wise XOR used in the original Mirai source code, and also include a new DDoS attack option that features the same parameters as the attack method “TCP SYN” in the original Mirai source.
“We found these latest samples on a single IP that at one point of time was hosting them via an open directory; however, on February 22, 2019, the server was later updated to hide the file listing but continued to host the files themselves,” the researchers reveal.
Previously, the IP was hosting Mirai samples containing a large list of exploits known to be used in earlier versions of the malware, and the presence of these exploits in the newly observed samples suggests that both are used by the same attacker.
The exploits targeted a ThinkPHP remote code execution vulnerability, a D-Link DSL2750B OS command injection flaw, a remote code execution bug in Netgear devices, a Realtek SDK flaw tracked as CVE-2014-8361, and a Huawei router vulnerability identified as CVE-2017-17215.
With the Mirai source code available in the open, threat actors will likely continue to compile it to target new device types, including by broadening the list of processors the malware can run on.
This will expand the attack surface, allowing cybercriminals to infect and propagate via a larger number of embedded devices, thus gaining more DDoS firepower, the researchers conclude.