New Mirai Samples Grow the Number of Processor Targets

New samples of the Mirai malware have been identified, targeting an array of embedded processors and architectures within connected devices.

Researchers said that they discovered new Mirai samples in February 2019, capable of infecting IoT devices running Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. Variants of Mirai have previously targeted CPU architectures like ARM and x86.

While it’s not the first time Mirai’s targeting of new processor architectures has expanded – samples targeting Argonaut RISC Core (ARC) CPUs were discovered in January 2018 –the development shows that Mirai developers continue to expand their targets to incorporate a growing array of IoT devices, researchers with Palo Alto Network’s Unit 42 group said in a Monday post.

“The addition of these processors expands the pool of potential devices which can be compromised and used for malicious activity,” Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, told Threatpost. “We can’t confirm all devices which contain these processors or why the actors chose to compile for them.”

Xilinx’s MicroBlaze processor and Altera’s Nios II processors are specifically designed for field programmable gate array (FPGA) integrated circuits. FPGAs, which allow users to program hardware circuits to optimize a chip for a particular workload, are used for IoT application application requirements due to their low power.

The Mirai samples also are capable of infecting Tensilica’s Xtensa processors, which range from small low-power microcontrollers up to neural network processors; and OpenRISC project based-open source CPUs, several of which are also known to run on FPGAs.

Mirai Samples

“Expanding Mirai-like malware to new architectures will only cause further headaches for those responsible for mitigating botnet activity,” Troy Mursch, owner of Bad Packets Report, told Threatpost. “Given that the source code for Mirai has been open source for years now, this was inevitable. As for the impact of this ‘expansion’ we’ll have to wait and see. DDoS attacks from Mirai-like botnets continue to plague the internet with some recently reaching nearly 40 Gbps in size.”

The latest samples were discovered being hosted in an open directory on a single IP. The samples contained exploits that were known to be used in previous versions of Mirai.

That includes an exploit for a ThinkPHP remote code execution flaw, a D-Link DSL2750B OS command infection and a Netgear remote code execution glitch. Also included were exploits for CVE-2014-8361 (an arbitrary code execution flaw in Realtek SDK) and CVE-2017-17215 (a remote code execution flaw in Huawei HG532 routers).

“The presence of these exploits in both previous versions of Mirai and our newly discovered samples help show the tie between the two are likely used by the same attacker in this case,” researchers said.

Mursch said he has also seen the same exploit attempts targeting the vulnerabilities listed.

“This is because the targeted devices do not get patched and become re-infected by Mirai-like malware over and over,” he said. “CVE-2017-17215 is notable as it was used by the Satori botnet and infected hundreds of thousands of Huawei devices. The author of that botnet is now under indictment by the FBI.”

On Feb. 22, the server was updated to hide the file listing, researchers said. A full list of Indicators of Compromise (IoCs) are available on their blog post.

Mirai is best known for being used in a massive, unprecedented DDoS attack that compromised more than 300,000 IoT devices to take down major websites in 2016.

Variants of Mirai continue to pop up as cybercriminals tap into a growing rate of vulnerable Internet of Things devices. In September, researchers discovered new variants for the infamous Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; and in March researchers said that a new Mirai variant was targeting TV and presentation systems used by enterprises.

Don’t miss our free_ _Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss_ _how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.