Mirai Variant Has Bitcoin Mining Capabilities
11.4.2017 securityweek IoT
A newly observed variant of the Mirai malware is abusing infected Internet of Things (IoT) devices for Bitcoin crypto-currency mining, IBM X-Force security researchers warn.
Initially spotted in September last year, Mirai was designed to find insecure IoT devices and ensnare them into a botnet primarily used for launching DDoS (distributed denial of service) attacks. Variants of the malware started to emerge after the Trojan’s source code was leaked, and a Windows variant designed to spread the Linux version was spotted earlier this year.
The newest variant moves beyond the initial DDoS capabilities of the botnet, with the addition of a component focused on Bitcoin mining. This crypto-currency has doubled in price over the past half year, trading at more than $1,290 per unit this March, above the November 2013 high of $1,242.
The Bitcoin mining-capable Mirai variant was observed in a short-lived, high-volume campaign at the end of March, targeting Linux machines running BusyBox. The attack focuses on devices such as DVR servers, which usually feature BusyBox with default Telnet credentials that Mirai targets with a dictionary attack brute-force tool.
In addition to the various types of attacks that Mirai bots can perform, such as TCP, UDP, and HTTP floods, the new variant also turns the compromised devices into Bitcoin miner slaves. Because IoT devices usually lack computing power, they can’t create Bitcoins, at least not on their own.
“Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” IBM explains.
IBM researchers found the Mirai dropper in a web console and associated the site to a series of high-volume command injection attacks. They also determined that the website was used as a malware package archive repository and that it was also counting infected victims in real-time. What’s more, the file package also included a Dofloo backdoor and a Linux shell.
Mirai is only one of the malware families to have adopted crypto-currency mining lately, after the Sundown exploit kit started distributing a Monero miner several months ago. Last year, researchers discovered a Go-based Linux Trojan focused on Monero mining.