Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Network Security

“Wicked” Variant of Mirai Botnet Emerges

A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

 The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

The used exploit depends on the specific port that the connection was established to. On port 8080, the malware uses Netgear DGN1000 and DGN2200 v1 router exploits (also used by Reaper botnet), on port 81 it uses a CCTV-DVR Remote Code Execution exploit, on port 8443 a Netgear R7000 and R6400 Command Injection (CVE-2016-6277), and on port 80 an invoker shell in compromised web servers.

Wicked contains the string SoraLOADER, which initially suggested it might attempt to distribute the Sora botnet. Instead, the researchers discovered that the malware would actually connect to a malicious domain to download the Owari bot, a different Mirai variant.

Although the website was confirmed to have distributed Owari, the security researchers couldn’t retrieve bot samples from the website directory. Furthermore, they discovered that the samples had been replaced by another malware family, the Omni bot.

Advertisement. Scroll to continue reading.

Looking through the website’s /bins directory, the security researchers discovered other Omni samples, which were apparently delivered using the Gigabit-capable Passive Optical Network (GPON) vulnerability CVE-2018-10561.

While looking for the connections between Wicked, Sora, Owari, and Omni, the security researchers found an April interview with the developer behind Sora and Owari, who goes by the online handle of “Wicked” himself. At the time, the malware author said that Sora was abandoned, but work on Owari would continue, with no new projects plann

Based on their findings and the malware author’s saying, Fortinet believes that both Sora and Owari bots have been abandoned, and that Omni is the current project the developer works on.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Related: Unofficial Patch Released for Zero-Days Affecting Dasan Routers

Related: Mirai-Based Masuta Botnet Weaponizes Old Router Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet