Just in time for IoT Day, the Mirai botnet is launching attacks with a new trick up its sleeve. In February, the Mirai malware began leveraging a Windows Trojan to widen its distribution. On the heels of our paper “Weaponizing the Internet of Things,” published last week, IBM X-Force recently uncovered a new variant of the ELF Linux/Mirai malware that has a new twist: a built-in bitcoin mining component.
Bobbing for Bitcoins
The Mirai botnet was developed for two primary purposes: to identify and compromise Internet of Things (IoT) devices to grow the botnet, and to perform distributed denial-of-service (DDoS) attacks against predefined targets. As described in our report, several successful attacks have been launched using this botnet within the past year. The ELF Linux/Mirai malware variant was first discovered in August 2016 by white-hat security research group MalwareMustDie.
This new variant of ELF Linux/Mirai malware with the bitcoin mining component has us pondering, though. We know that as we move toward becoming a cashless society, there may be more incentive to mine for or purchase bitcoins. Attackers certainly have much to gain from having bitcoins in their pocket to facilitate their cybercriminal activities — bitcoin is the currency of choice for purchasing illegal commodities such as malware.
But using IoT devices to mine for bitcoins? Almost four years ago, Krebs on Security discussed bitcoin mining bots; in that case, the compromised hosts were PCs. Mining bitcoins, however, is a CPU-intensive activity. How many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers? Wouldn’t attackers have better luck compromising a bitcoin exchange company, as has been the case numerous times in the past? It’s possible they’re looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.
Here, we take a look at a recent, short-lived, high-volume ELF Linux/Mirai attack campaign using the new component, bitcoin miner slave, targeting IBM X-Force-monitored clients.
The New Mirai Campaign: Short-Lived, Yet Notable
IBM X-Force began seeing traffic containing links to ELF 64-bit binary files beginning in late March 2017. As shown in Figure 1, the activity was barely a blip on the screen on March 20, but then reached a 50 percent increase in volume just four days later. The activity subsided eight days after it began.
Figure 1: ELF Mirai attack activity (Source: IBM X-Force-monitored client data)
What we found when we dissected the Mirai sample was pretty much the same Mirai functionality ported over from the Windows version with a focus on attacking Linux machines running BusyBox. This software provides several stripped-down Unix tools in a single executable file and digital video recording (DVR) servers. BusyBox utilizes Telnet, which is targeted with a dictionary attack brute-force tool contained in the Mirai malware. The DVR servers are targeted because many of them use default Telnet credentials.
The Telnet protocol is an attacker’s gateway to compromising IoT devices. Aside from DVRs, many embedded system applications in IoT devices, such as routers, VoIP phones, televisions, industrial control systems and others, leverage Telnet’s remote-access capabilities.
The New Addition: Bitcoin Miner Slave
Mirai bots can perform a few different types of attacks. Besides the usual capabilities of multiple flooding tools using TCP, UDP and HTTP protocols, several other capabilities were built into WL4-A0ACM1, the aforementioned Windows version, including SQL injection and brute-force attack tools.
The new ELF Linux/Mirai malware variant we discovered included another add-on: a bitcoin miner slave. This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all. Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.
We found the Mirai dropper in a web console similar to the example in Figure 2 below. We detected this site in a series of high-volume command injection attacks. The site was acting as a malware package archive repository and contained a real-time counter of victims it had infected. This file package also included a Dofloo backdoor and a Linux shell.
Figure 2: A screen capture of the Mirai dropper web console (Source: IBM X-Force)
Calling All Users and Manufacturers!
Addressing the IoT botnet phenomenon is going to require all stakeholders to take steps to secure these devices. This includes home and enterprise users as well as manufacturers. Fortunately, our report offers recommendations for all three groups. We highly encourage readers to review the report for guidelines on how to prevent IoT devices from becoming part of a botnet. If the weaponization of IoT devices into DDoS botnets is the latest malicious trend, then turning them into bitcoin miners may be just around the corner.