A new variant of the
Previous Miori variants used to communicate with the C2 server with a binary-based protocol with a login prompt displayed to anyone that knew its IP address.
Current version leverages a
“When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the
The message displayed after attempting to connect to the C&C console was “Fuck Off researcher!!”
The malicious code uses a simple substitution method for the encryption process, the researchers discovered the correspondence table
While the malware waits for instructions, it also searches for vulnerable systems to compromise.
The malicious code also supports other additional commands for terminating the attack and for killing its process.
The analysis of the strings found in the sample revealed the URL of the site that offers for sale the source code of the Miori bot. The authors are offering for sale the source code for US$110.
“Regardless of the reason behind its design, the malware’s routine is generally similar to typical Mirai variants: infect vulnerable IoT devices and use them as platforms for launching a DDoS attack. These differences also emphasize the necessity of keeping up with evolving IoT malware in the future.” concludes Trend Micro.
“Users can reduce the impact of such schemes by applying the right patches and updates for their deployed devices. As this malware acts like a typical Mirai variant, making sure to change default credentials with tougher security in mind can reduce the possibility of unauthorized access and success of brute force attacks.”
(SecurityAffairs – Miori Botney, IoT)