By: Makoto Shimamura, Cyber Threat Research Team
We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses a text-based protocol to communicate with its C&C.
Miori’s unique protocol
Typical Mirai variants communicate with their respective C&Cs using a binary-based protocol. In that scenario, the C&C server would display a login prompt to get into the console that the attacker uses. The C&C server assumes that anyone who connects to the C&C server is the attacker trying to access the console, so that the login prompt asking for the username and password is displayed, as seen in Figure 1.
Figure 1. Example of a Mirai C&C login prompt
This is not the case for this new Miori variant. When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the cybercriminals behind the variant are wary of security researchers’ usual methods.
Figure 2. Message displayed after attempting to connect to the C&C console
This prompted us to try to see where the change was made in t ..
Support the originator by clicking the read the rest link below.
