By: Augusto Remillano II and Jakub Urbanec
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.
This attack comes just a few weeks after we last reported on Mirai activity, when it had targeted various routers. Several exploits used in the previous attack have also been used by this variant.
The new Mirai variant
Our initial findings on the new variant came from one of our honeypots dedicated to looking for attacks related to the internet of things (IoT). It showed that this malware used different means of spreading, and also revealed its use of three XOR keys to encrypt data. Decrypting the malware’s strings using XOR revealed one of the first relevant indicators of the malware’s being a Mirai variant. The decrypted string can be seen in Figure 1.
0x22 (standard Mirai strings)
0x37 (strings with “watchdog”)
0xea (credentials for brute force attack: “telecomadmin”, “admintelecom”, etc.)
Figure 1. Decrypted string showing Mirai connection
We also found the different URLs used by this variant. The first URL on the list ..