Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Trojan Spreads Mirai to Linux Devices

Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.

Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.

Mirai became popular last fall, after it targeted Brian Krebs’ blog and infrastructure provider Dyn in two of the largest DDoS attacks on record. Soon after, the malware’s source code leaked online and new variants of the Trojan were spotted, including one packing worm-like capabilities.

Although focused on Linux-based IoT devices until now, Mirai recently switched focus to Windows systems as well, Doctor Web security researchers warn. Detected as Trojan.Mirai.1, the new malware variant is written in C++ and appears capable of performing various nefarious operations, one of which involves the spreading of the Mirai botnet to Linux-based devices.

When launched on the infected Windows machine, the Trojan would connect to its command and control (C&C) server, and then download a configuration file to extract a list of IP addresses from it. Next, the malware launches a scanner to search for the network nodes listed in the configuration file, and attempts to login to them using a list of logins and passwords combinations from the same file.

According to Doctor Web’s security researchers, the Windows version of Mirai is capable of scanning and checking several TCP ports simultaneously (including 22, 23, 135, 445, 1433, 3306, and 3389).

As soon as it connects to one of the attack nodes (via any of the available protocols), the Trojan begins the execution of a series of commands indicated in the configuration file. However, should the connection be made via Remote Desktop Protocol (RDP), none of the instructions is executed.

What’s more, if the threat manages to connect to a Linux device via the Telnet protocol, it then attempts to download a binary file to it. This file is meant to subsequently download and launch the Mirai botnet.

The Windows version of Mirai can also abuse Windows Management Instrumentation (WMI) to execute commands on remote hosts, using inter-process communication (IPC) technology. The malware was designed to launch new processes with Win32_Process.Create method, and create various files (such as Windows package files containing a certain set of instructions).

Advertisement. Scroll to continue reading.

If Microsoft SQL Server is present on the infected machine, the malware leverages it to spawn a series of files and a user that also has sysadmin privileges. Next, the malware abuses this user and the SQL server event service to execute various malicious tasks: to launch executable files with administrator privileges, delete files, or plant icons in the system folder for automatic launch (it can also create the corresponding logs in the Windows registry).

“After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals,” Doctor Web notes. This user has the following privileges: select, insert, update, delete, create, drop, reload, shutdown, process, file, grant, references, index, alter, show_db, super, create_tmp_table, lock_tables, execute, repl_slave, repl_client, create_view, show_view, create_routine, alter_routine, create_user, event, trigger, and create_tablespace.

Related: 100,000 UK Routers Likely Affected by Mirai Variant

Related: Mirai Switches to Tor Domains to Improve Resilience

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.