Security experts from Symantec have spotted a new cross-platform Mirai variant that has been created with an open-source project.
Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.
Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.
Now, researchers from Symantec have discovered a Mirai variant that could target multiple platforms, the sample they analyzed has been built using the open-source project called Aboriginal Linux.
The new variant could be easily used to target multiple architectures, including ARM, MIPS, PowerPC, and x86.
“While this is similar behavior to the Mirai variants we’ve seen so far, what makes it interesting is the compiled binary. These variants have been created by leveraging an open-source project called Aboriginal Linux that makes the process of cross-compilation easy, effective, and practically fail-proof.” reads the analysis published by Symantec.
“It should be noted that there is nothing malicious or wrong with this open-source project, the malware authors are once again leveraging legitimate tools to supplement their creations, this time with an effective cross compilation solution.”
The author of the new Mirai variant chose Aboriginal Linux to allow the easy compilation of the code that could be used to target a variety of devices, including routers, IP cameras, and Android devices.
“Given that the existing code base is combined with an elegant cross-compilation framework, the resultant malware variants are more robust and compatible with multiple architectures and devices, making it executable on a wide variety of devices ranging from routers, IP cameras, connected devices, and even Android devices.” continues Symantec.
According to the experts, as many other Mirai infections, it starts with a shell script on a vulnerable device. That shell script is used to attempt to download and execute individual executables until it finds an architecture compliant its code.
Once the Mirai bot has infected the system, it will attempt to spread to devices with default credentials or vulnerabilities. The Symantec researcher executed the sample in a contained environment and observed it attempting to scan more than 500,000 IP addresses generated through the random generation process.
“The remainder of the malware’s functionalities are consistent with known Mirai behavior. For example, when I executed the sample in a contained environment, it attempted to scan more than 500,000 IP addresses generated through the random generation process previously described, and then tried to send raw packet data over port 23.” continues the report.
This last variant demonstrates the abilities of malware authors that can leverage legitimate open-source software to improve their malicious codes.