- Security News
- Internet of Things
- Mirai Variant Spotted Using Multiple Exploits, Targets Various Routers
Trend Micro researchers uncovered a new variant of the notorious Mirai malware (detected by Trend Micro as Trojan.Linux.MIRAI.SMMR1) that uses multiple exploits to target various routers and internet-of-things devices. This version of Mirai was observed in honeypots the researchers set up to monitor IoT-related threats.
The Mirai variant was uncovered while doing research on another IoT malware Bashlite, which was updated to add capabilities like deploying cryptocurrency-mining and bricking malware. Compared to Bashlite, however, this Mirai variant doesn’t have those functionalities. Additionally, while both threats have backdoor and distributed-denial-of-service (DDoS) capabilities, the way they implement the commands is different.
[READ: Home Routers and Mitigating Attacks that Can Turn Them into Zombies]
Figure 1 shows the attacks’ infection vectors in the honeypot logs. Figure 2, shows that the malware authors named it ECHOBOT.
Figure 1. Code showing the attack’s infection vectors based on logs from our honeypot
Figure 2. The Mirai variant’s decrypted strings
[RELATED NEWS: New Mirai Botnet Variant Targets IoT TV, Presentation Systems]
Figures 3, 4, and 5 show this Mirai variant’s use of multiple publicly available proofs of concept (PoCs) and Metasploit modules. These exploits also target various routers and devices:
Figure 3. Snapshots of code embedded in the Mirai variant exploiting vulnerabilities in ZyXEL P660HN-T v1 (top) and GPON routers (bottom)
[READ: A Look Into the Most Noteworthy Home Network Security Threats of 2017]
Figure 4. Snapshots of code embedded in the Mirai variant exploiting vulnerabilities in Huawei Router HG532 (top) and Linksys E-series routers (bottom)
[Security 101: Protecting Wi-Fi Networks Against Hacking and Eavesdropping]
Figure 5. Snapshots of code embedded in the Mirai variant exploiting vulnerabilities in Realtek SDK (top) and ThinkPHP 5.0.23 and 5.1.31 framework (bottom)
[READ: Routers Under Attack: Current Security Flaws and How to Fix Them]
Apart from the use of multiple exploits, this version of Mirai retains its backdoor and DDoS capabilities. Mirai gained notoriety for its use in attacks that knocked high-profile websites offline and causing service outages. Since its emergence, it’s become a perennial threat that widely affects IoT devices, and it also sees continuous updates with more capabilities or functions. For example, this Mirai variant also uses credentials — for its dictionary attacks (using preprogrammed usernames and passwords) — that aren’t present in other or older versions of Mirai: videoflow, huigu309, CRAFTSPERSON, ALC#FGU, and wbox123.
[BEST PRACTICES: Securing Your Routers Against Mirai and Other Home Network Attacks]
Mirai doesn't just adversely affect the privacy and security of IoT devices and data stored in them. It can also take control of infected devices and make them part of the problem. While IoT device manufacturers play important roles in securing these devices, users and businesses should also adopt good security practices to defend against threats like Mirai, such as:
Trend Micro Smart Home Network™ provides coverage to many of the vulnerabilities cited in the article via these rules:
Indicators of Compromise:
Related hash (SHA-256) detected as Trojan.Linux.MIRAI.SMMR1:
Related malicious IP address/URL:
Analysis and insights by Augusto Remillano II, Jakub Urbanec, Byron Galera, and Mark Vicente
Updated as of April 10, 2019, 7:57 PM EDT to include the rules in the Trend Micro Smart Home Network solution.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.