Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

New Mirai Variant Targets More Processor Architectures

A recently discovered variant of the Mirai malware is targeting more processor architectures than before, which allows it to attack a wider range of Internet of Things (IoT) devices, Palo Alto Networks security researchers reveal.

A recently discovered variant of the Mirai malware is targeting more processor architectures than before, which allows it to attack a wider range of Internet of Things (IoT) devices, Palo Alto Networks security researchers reveal.

Targeting IoT devices in an attempt to ensnare them into a botnet capable of launching distributed denial of service (DDoS) attacks, the malware has been around since late 2016, with numerous variants observed since (such as Wicked, Satori, Okiru, Masuta, and others).

Mirai’s source code was publicly released in October 2016, and various threat actors built their own iterations of the malware in order to target additional device types. A version that emerged earlier this year aims at devices specifically intended for businesses.

The newly observed Mirai samples, Palo Alto Networks reports, are compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors, which shows that the threat’s developers continue to innovate.

“If the latest innovations lead to an increase in the number of infected devices, that means that Mirai attackers would have access to additional firepower for use in denial of service attacks,” Palo Alto Networks points out.

The new samples employ a modified version of the byte-wise XOR used in the original Mirai source code, and also include a new DDoS attack option that features the same parameters as the attack method “TCP SYN” in the original Mirai source.

“We found these latest samples on a single IP that at one point of time was hosting them via an open directory; however, on February 22, 2019, the server was later updated to hide the file listing but continued to host the files themselves,” the researchers reveal.

Previously, the IP was hosting Mirai samples containing a large list of exploits known to be used in earlier versions of the malware, and the presence of these exploits in the newly observed samples suggests that both are used by the same attacker.

The exploits targeted a ThinkPHP remote code execution vulnerability, a D-Link DSL2750B OS command injection flaw, a remote code execution bug in Netgear devices, a Realtek SDK flaw tracked as CVE-2014-8361, and a Huawei router vulnerability identified as CVE-2017-17215.

With the Mirai source code available in the open, threat actors will likely continue to compile it to target new device types, including by broadening the list of processors the malware can run on.

This will expand the attack surface, allowing cybercriminals to infect and propagate via a larger number of embedded devices, thus gaining more DDoS firepower, the researchers conclude.

Related: New Mirai Variant Targets Enterprise IoT Devices

Related: Cross-Platform Mirai Variant Leverages Open-Source Project

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.