Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Windows Trojan Spreads Mirai to Linux Devices

Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.

Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.

Mirai became popular last fall, after it targeted Brian Krebs’ blog and infrastructure provider Dyn in two of the largest DDoS attacks on record. Soon after, the malware’s source code leaked online and new variants of the Trojan were spotted, including one packing worm-like capabilities.

Although focused on Linux-based IoT devices until now, Mirai recently switched focus to Windows systems as well, Doctor Web security researchers warn. Detected as Trojan.Mirai.1, the new malware variant is written in C++ and appears capable of performing various nefarious operations, one of which involves the spreading of the Mirai botnet to Linux-based devices.

When launched on the infected Windows machine, the Trojan would connect to its command and control (C&C) server, and then download a configuration file to extract a list of IP addresses from it. Next, the malware launches a scanner to search for the network nodes listed in the configuration file, and attempts to login to them using a list of logins and passwords combinations from the same file.

According to Doctor Web’s security researchers, the Windows version of Mirai is capable of scanning and checking several TCP ports simultaneously (including 22, 23, 135, 445, 1433, 3306, and 3389).

As soon as it connects to one of the attack nodes (via any of the available protocols), the Trojan begins the execution of a series of commands indicated in the configuration file. However, should the connection be made via Remote Desktop Protocol (RDP), none of the instructions is executed.

What’s more, if the threat manages to connect to a Linux device via the Telnet protocol, it then attempts to download a binary file to it. This file is meant to subsequently download and launch the Mirai botnet.

The Windows version of Mirai can also abuse Windows Management Instrumentation (WMI) to execute commands on remote hosts, using inter-process communication (IPC) technology. The malware was designed to launch new processes with Win32_Process.Create method, and create various files (such as Windows package files containing a certain set of instructions).

If Microsoft SQL Server is present on the infected machine, the malware leverages it to spawn a series of files and a user that also has sysadmin privileges. Next, the malware abuses this user and the SQL server event service to execute various malicious tasks: to launch executable files with administrator privileges, delete files, or plant icons in the system folder for automatic launch (it can also create the corresponding logs in the Windows registry).

“After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals,” Doctor Web notes. This user has the following privileges: select, insert, update, delete, create, drop, reload, shutdown, process, file, grant, references, index, alter, show_db, super, create_tmp_table, lock_tables, execute, repl_slave, repl_client, create_view, show_view, create_routine, alter_routine, create_user, event, trigger, and create_tablespace.

Related: 100,000 UK Routers Likely Affected by Mirai Variant

Related: Mirai Switches to Tor Domains to Improve Resilience

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.