New Mirai botnet hides C2 server in the Tor network to prevent takedowns

Researchers at Trend Micro have discovered a new Mirai Botnet that has command and control server in the Tor network to make takedowns hard.

Experts at Trend Micro have discovered a new Mirai Botnet that uses a Command and Control hidden in the Tor Network, a choice that protects the anonymity of the operators and makes takedowns operated by law enforcement hard.

“Barely a month since discovering a new Miori variant, we found another new Mirai sample through our research.” reads the analysis published by Trend Micro. “Compared to previous variants, however, we found this sample distinct because the cybercriminals placed the command and control (C&C) server in the Tor network for anonymity.” 

The malware’s command center is hidden to make takedowns a more complicated process. Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

Since the code of the Mirai  was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG are just the last variants appeared online in 2018.

The new variant spotted by Trend Micro implements the same features as previous ones, it targets TCP ports 9527 and 34567, a circumstance that suggests its operators aim to target IP cameras and DVRs. 

The configuration includes possible default credentials that can be used to infect other hosts.

The communication protocol implemented in this sample is the same as previous Mirai variants except for the use of the socks5 connection. Experts also identified a byte sequence indicative of a DDoS command sent from the C&C server via a UDP flood attack to target a specific IP address.

“Looking for related samples and information elsewhere for comparison, other open sources such as VirusTotal yielded a report of the same hash value from the same URL source, which was an open directory also hosting other samples for other device architectures.” continues the report. “Other details from the report also showed another distribution server.”

Experts find this particular Mirai Botnet sample interesting for the deployment of the C&C server in Tor, likely to evade tracking of its IP address and avoiding being shut down by law enforcement. This is reminiscent of the BrickerBot botnet reported back in 2017. 

“While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable.” concludes the post. “Likewise, the server remains running despite discovery, network traffic can masquerade as legitimate and remains encrypted, and it may not necessarily be blacklisted due to other possible legitimate uses for Tor.

The presence of another distribution server and other samples designed for other device architectures possibly implies that these malicious actors intend to apply this operation in a larger scale. However, detection systems with signature and behavior-based mechanisms can still detect and block these malware intrusions.”

Pierluigi Paganini

(SecurityAffairs – Mirai botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On