A new variant of the infamous Mirai botnet appeared in the threat landscape, it was discovered by researchers at Fortinet that referred it as OMG because of strings containing “OOMGA” in the configuration table.
“For this reason, we decided to name this variant OMG.”“The table, originally encrypted, was decrypted using 0xdeadbeef as the cipher key seed, using the same procedure adopted for the original Mirai. The first thing we noticed are the strings /bin/busybox OOMGA and OOMGA: applet not found.” wrote Fortinet.
The name Mirai was given to the Mirai bot because of the strings /bin/busybox MIRAI and MIRAI: applet not found, which are commands to determine if it has successfully brute-forced its way into the targeted IoT device. These strings are similar with other variations such as Satori/Okiru, Masuta, etc.”
The Mirai botnet was first spotted in August 2016 by the security researcher MalwareMustDie, it was specifically designed to compromise vulnerable or poorly protected IoT. Once Mirai malware compromises an IoT device it recruits it into a botnet primarily used for launching DDoS attacks, such as the one that hit Dyn DNS service.
In October 2016, the Mirai source code was leaked and threat actors in the wild started customizing their Mirai botnet.
The OMG botnet includes most of Mirai’s features and modules, including the attack, killer, and scanner modules, but also adds new ones.
According to Fortinet its configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed.
“This variant also adds and removes some configurations that can be found in the original Mirai code. Two notable additions are the two strings that are used to add a firewall rule to allow traffic on two random ports, which we will discuss in the latter part of the article.” continues the analysis.
After initialization, OMG connects to the command and control (C&C) server, the configuration table analyzed in the post contains the CnC server string, ccnew.mm.my, which resolves to 22.214.171.124.
The malware connects to the C&C port 50023, then it sends a defined data message (0x00000000) to the server to identify itself as a new bot.
In response, the server sends a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used as a proxy server, the two options are:
The OMG botnet leverages the open source software 3proxy as its proxy server and during the set up phase the bot adds firewall rules to allow traffic on the two random ports.
“This variant of Mirai uses 3proxy, an open source software, to serve as its proxy server. The set up begins by generating two random ports that will be used for the http_proxy_portand socks_proxy_port. Once the ports are generated, they are reported to the CnC.” continues the analysis.
“For the proxy to work properly, a firewall rule must be added to allow traffic on the generated ports. As mentioned earlier, two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table .”
Fortinet experts believe the operators behind the OMG botnet sell access to the IoT proxy server, they highlighted that this is the first Mirai variant that sets up proxy servers on vulnerable IoT devices.
“With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” concluded Fortinet.
Further details, including IoCs are reported in the blog post published by Fortinet.
(Security Affairs – Mirai , OMG botnet)