Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices. which allows it to attack a wider range of Internet of Things (IoT) devices,
Since the code of the Mirai
Samples recently discovered were compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.
“In late February 2019, Unit 42 discovered Mirai samples compiled for new processors/architectures not previously seen before.” reads the analysis published by Palo Alto Networks.
“Unit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.”
The innovations introduced in the latest version should rapidly increase the number of infections worldwide making the Mirai botnet even more dangerous.
In addition to the being compiled for these new architectures, experts pointed out that new samples also implement a new encryption algorithm that is a modified version of the standard byte-wise XOR used in the original Mirai source code.
“It uses 11 8-byte keys, all of which are cumulatively byte-wise XOR-ed to get the final resulting key.” continues the analysis.
The new samples also use a new “TCP SYN” DDoS attack option called
Experts discovered the new Mirai sample on a single IP that was exposing them via an open directory, but on February 22, 2019, attackers updated the server configuration to hide the file listing.
“Prior to the update on February 22, the same IP was hosting Mirai samples containing the following exploits known to be used in previous versions of Mirai. The presence of these exploits in both previous versions of Mirai and our newly discovered samples help show the tie between the two are likely used by the same attacker in this case. ” continues the analysis.
The exploits discovered by the experts targeted a ThinkPHP RCE flaw, a D-Link DSL2750B OS command injection flaw, an RCE in Netgear network devices, a flaw in Realtek in SOHO devices (CVE-2014-8361), and the Huawei router vulnerability tracked as CVE-2017-17215.
The improvements observed by the experts will expand the number of potential targets giving the attackers more DDoS firepower and posing a severe risk to the Internet infrastructure.
Further technical details, including Indicators of Compromise (IoCs) are included in the analysis published by Palo Alto Networks.