That malware evolves is nothing new, but some evolve more than others. Particularly Mirai.
We’ve previously looked at how Mirai, an IoT botnet has changed since its source code became public, and recent analysis of IoT attacks and malware trends show that Mirai has continued it evolution. The result is an increase in attacks, using Mirai variants, as unskilled attackers create malicious botnets with relative ease.
The Avira IoT honeypot recently captured samples that are modified variants of Mirai. Our initial analysis found that these malware samples were similar to Mirai with a small, obvious change: using “CORONA” as a string in “/bin/busybox CORONA” command. Therefore, the IoT researchers at Avira named this new Mirai variant as ‘Mirai Corona‘.
In the screenshot below, you can see the attacker links this Mirai variant with the Corona pandemic, suggesting that “Total lockdown is the solution”. Under the hood, it is still Mirai, just a new variant that targets NAS devices (ZyXEL NAS exploiting CVE-2020-9054).
This blog will present a detailed analysis on how this new variant of Mirai is exploiting the vulnerabilities found in the IoT landscape, along with new C&C servers.
Analysis of the Mirai variant
The core functionality of Mirai do not change in this version. However, we observed few changes that are worth mentioning:
Notable features:
- Different Control Flow Obfuscation
- Custom encryption/decryption technique
- Packets construction via C&C servers info and anti DDOS capabilities
Different control flow obfuscation
Instead of using simple fork technique, the new Mirai variant uses very different kind of Control Flow Obfuscation. The main section of the code calling encryptionhandle is entirely different code block. rt_sigaction is used to control flow obfuscation. This system call is used to change the action taken after receipt of a specific signal.
Custom encryption/decryption technique
In the image below, the Mirai variant can be seen communicating with C&C, but prior communicating with C&C, it decrypts some strings (commands and credentials). Instead of using simple xor, it uses a custom routine.
After initialization and string decryption, the variant starts communicating with its C&C server.
Anti DDOS capabilities and packet construction
The botnet has attack_parsing() function that sets DDoS attack mechanics such as, UDP, TCP, UDPbypass and TCPbypass along with C&C command strings information sent by a C&C server (SYN flag, ACK flag, URG flag, RST flag, time, destination port, header length) for packet construction.
Further, it can be seen that this botnet has anti DDOS defense capabilities through TCPbypass and UDPbypass attack routines which is different from other normal sample.
Below are the images of call graph for TCPbypass and UDPbypass and packet construction in attack_parsing() function :
On the other side, the usual activities that we see is that it communicates with /dev/watchdog to prevent watchdog from rebooting the device.
The Mirai variant uses cleaner_get_name(), killer_kill_by_cmdline and killer_kill_by_permission functions that allows the botnet to kill processes by specific strings, process command line and permission respectively. Furthermore, it binds to the TCP port 28341 to ensure single instance running on an infected device. The botnet scans the TCP port 23 of random hosts for brute-forcing and phone back to its C&C server once login attempt becomes successful.
Once the malware is up, it sends a beacon to a C&C server at a specific port, notifying the C&C that it is now ready for command to execute on the device. During our analysis, we found the following C&C servers:
- 104[.]218.50.89
- 167[.]86.126.28
- 185[.]125.230.11
- 84[.]196.75
- 148[.]120.105
Conclusion
It is important to safeguard IoT endpoints installed in consumer environments. it is the industry’s responsibility, and the the responsibility of the consumer, to ensure that their IoT devices are reliable products, have strong authentication credentials and they are regularly patched.
the Avira IoT Research team monitors such new malware families or variants and provide detections for them. Integrating Avira SafeThings and anti-malware technologies can help protect customers from such attacks.
IoCs
List of different Mirai variants:
| Sample hash (Sha256) | Source | Executable Format | Target Architecture | Debugging Info | |
| 013ca1e05699062db31011d73c217ed3d2aa543ff16e43fb3886dd98202b26ab | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 0584cbbec12e87d576a7379e8940b4040cdb8d6a2c4d3956b482960347bdb90a | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 08a74b717b01f42221fad7b2dc1e9d918283c680d6d3c6c85f2af929645475eb | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 09fdad7129c182457b8c3b9e4f25a9c741e61cfe809301f44e13f77cfb3462e6 | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 0be67ed20c038a2aac9e2f7733df4c005c8b8f0974cc8add170d211657aad106 | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 12bd8ea2aa201703fb59f49d48d4d9488f62c66c763c077013ccac0ed2ca5f1e | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 167c0e763c3f998890a7d16f680283e8800d096e09273e58539236533047d473 | Honeypot | ELF 32-bit LSB executable | ARM | stripped | |
| 17fc8cae53461774c2db746472adbf66ab4c2cdd41a1fd761052ef9e28fdd8f8 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 1ea9bb247a4ec60242847f572ef0384c80b014fa972f4fa5cb6373a7ab1b0de8 | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| 284e35bcaa498d885f366107025f06ef14b0358621889c73b640eae031225588 | VirusTotal | ELF 32-bit MSB executable | MIPS | stripped | |
| 3308ebcd96bd42e15128fa68db7be71004b5f406f214c3d3d6c202883034d252 | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| 346100885bfcfbb3f6995150ef21cfd905ade6485d1db304462d07810367032e | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 34fe6476bbbd1c357119cc137c42eaed1ad96d72dfb07be5a252dbac827d49f0 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 3c41de8bcf24966f383eca595617d93c3e112fcb20b37b3c03e0aaa5e24839f6 | VirusTotal | ELF 32-bit MSB executable | PowerPC or cisco 4500 | stripped | |
| 3fc6d131685d84cda3791de96a9b10918b9a310467236b4216ad10f98abbe3f4 | VirusTotal | ELF 32-bit MSB executable | Motorola m68k | stripped | |
| 4717e940f41ed3d377dfb95ec0092400b26d5c8101603c13bce390a92a7c0d83 | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| 3a49d1fdd9f19b8031a6c07ea8c8ffa92b2563864729a4cc8ec68f5a9f96d999 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 48aabb4ac83cebe9aec6af359a2e10af0ed112fc3936f8c4149a3838e6dfc426 | VirusTotal | ELF 32-bit MSB executable | MIPS | stripped | |
| 575a28ca439411a40d8cf0f381c6f0c1889a8a08627d2135ff28b9dfd8e2dc6c | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 6a651d67be24382c9328b6de7829dc861a6958ff38e4260abb35e16b8f60666a | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| 6e533d390048e1bb3157c0aa6a429195698515cf2bcd99fb2276d202a2e6c2c4 | VirusTotal | ELF 32-bit MSB executable | PowerPC or cisco 4500 | stripped | |
| 6f8026820c63c92e610de15e771e8d00826bd5050a3c4b06210e23f6fc68868b | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| 7854e35610ead6f1010ccd1858c6b6ecb19c34c149c6326c10e7016202767711 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 8851b330a6bf5d2efade40a0262553e2a57bc3d3416f4f29f9f7bd1e5634edcb | VirusTotal | ELF 32-bit MSB executable | SPARC | stripped | |
| 8ca2c4c8236f159d55ee2160ed20bc69b51f93990898e6ecfea506ff3cdeca4a | VirusTotal | ELF 32-bit MSB executable | PowerPC or cisco 4500 | stripped | |
| 8ca3f4dd7ad0d01f3cd6a34fa060af33c3c840ccf6f368f294f0e50f380ec52f | VirusTotal | ELF 32-bit LSB executable | MIPS | stripped | |
| 93b75a6f4d1e6880d1dd08de14137a1685be0cf70dae05b89f74d3c83820a7ef | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| 9b45260b5b5157a70dd7d8835b88b503f091f4ca1b64d7518843f41e14f986d7 | VirusTotal | ELF 32-bit MSB executable | MIPS | stripped | |
| 9bf2754afc362510ece8cfaa6062c70e4aee001ab2fd011f7a01dc35399db495 | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| a07d2c5c94a8048205cd24cff34195e3eed1534044772386b7b94a9e84f8ea2c | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| aa4caeb4f22998fdb7bb5a77e6cb75f9ddc5f598902c5f4f26842d060af08a37 | VirusTotal | ELF 32-bit LSB executable | ARM | stripped | |
| aede29b4914344f00998d2e3183d005bee886a81f0e430536cf0a842ecdde4bd | VirusTotal | ELF 32-bit MSB executable | PowerPC or cisco 4500 | stripped | |
| b37d62fb74bf89921dbbdcea8bb8f5a85bc4b2bbf002146c651921bdbf96e745 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| c25795c790a33c06ce48780a271db87035a4ad3a957766c7667a82758afecfde | VirusTotal | ELF 32-bit LSB executable | ARM | with debug_info | |
| ca957197780b9e40d550828024377888130735c31815716106b0be65b80c51f1 | VirusTotal | ELF 32-bit LSB executable | MIPS | stripped | |
| cd2bd1f6387a9c01d58765e40cf69b37d5dad28e6fa5af01dde39a045dd4af08 | VirusTotal | ELF 32-bit LSB executable | ARM | with debug_info | |
| d6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e | VirusTotal | ELF 32-bit MSB executable | PowerPC or cisco 4500 | stripped | |
| dc65a17134774b13b898af7af3197fdab765de8770d92fdf2967dc9d382b0a08 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| e226bc964e31fb835ea2ae5fcd697d16a6e693557bf46bda43d0bf71f151d6c1 | VirusTotal | ELF 32-bit LSB executable | MIPS | stripped | |
| e25521b6d5c974a8844d55a7f67b9ad6fc15129a7d6988695c01f25da06e9308 | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| e7f8389e88e6d336666ca9572829e88fddcdd2ceb532a305effaaff8514769cd | VirusTotal | ELF 32-bit LSB executable | Intel 80386 | stripped | |
| e9dfa336a668c6d33352860d9443062446af41239edb0c6a9ec49213a6713534 | VirusTotal | ELF 32-bit LSB executable | MIPS | stripped |
Want to comment on this post?
We encourage you to share your thoughts on your favorite social platform.