Just in time for IoT Day, the Mirai botnet is launching attacks with a new trick up its sleeve. In February, the Mirai malware began leveraging a Windows Trojan to widen its distribution. On the heels of our paper “Weaponizing the Internet of Things,” published last week, IBM X-Force recently uncovered a new variant of the ELF Linux/Mirai malware that has a new twist: a built-in bitcoin mining component.

Bobbing for Bitcoins

The Mirai botnet was developed for two primary purposes: to identify and compromise Internet of Things (IoT) devices to grow the botnet, and to perform distributed denial-of-service (DDoS) attacks against predefined targets. As described in our report, several successful attacks have been launched using this botnet within the past year. The ELF Linux/Mirai malware variant was first discovered in August 2016 by white-hat security research group MalwareMustDie.

This new variant of ELF Linux/Mirai malware with the bitcoin mining component has us pondering, though. We know that as we move toward becoming a cashless society, there may be more incentive to mine for or purchase bitcoins. Attackers certainly have much to gain from having bitcoins in their pocket to facilitate their cybercriminal activities — bitcoin is the currency of choice for purchasing illegal commodities such as malware.

But using IoT devices to mine for bitcoins? Almost four years ago, Krebs on Security discussed bitcoin mining bots; in that case, the compromised hosts were PCs. Mining bitcoins, however, is a CPU-intensive activity. How many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers? Wouldn’t attackers have better luck compromising a bitcoin exchange company, as has been the case numerous times in the past? It’s possible they’re looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.

Here, we take a look at a recent, short-lived, high-volume ELF Linux/Mirai attack campaign using the new component, bitcoin miner slave, targeting IBM X-Force-monitored clients.

Read the complete X-Force Research report: The Weaponization of IoT

The New Mirai Campaign: Short-Lived, Yet Notable

IBM X-Force began seeing traffic containing links to ELF 64-bit binary files beginning in late March 2017. As shown in Figure 1, the activity was barely a blip on the screen on March 20, but then reached a 50 percent increase in volume just four days later. The activity subsided eight days after it began.

Figure 1: ELF Mirai attack activity (Source: IBM X-Force-monitored client data)

What we found when we dissected the Mirai sample was pretty much the same Mirai functionality ported over from the Windows version with a focus on attacking Linux machines running BusyBox. This software provides several stripped-down Unix tools in a single executable file and digital video recording (DVR) servers. BusyBox utilizes Telnet, which is targeted with a dictionary attack brute-force tool contained in the Mirai malware. The DVR servers are targeted because many of them use default Telnet credentials.

The Telnet protocol is an attacker’s gateway to compromising IoT devices. Aside from DVRs, many embedded system applications in IoT devices, such as routers, VoIP phones, televisions, industrial control systems and others, leverage Telnet’s remote-access capabilities.

The New Addition: Bitcoin Miner Slave

Mirai bots can perform a few different types of attacks. Besides the usual capabilities of multiple flooding tools using TCP, UDP and HTTP protocols, several other capabilities were built into WL4-A0ACM1, the aforementioned Windows version, including SQL injection and brute-force attack tools.

The new ELF Linux/Mirai malware variant we discovered included another add-on: a bitcoin miner slave. This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all. Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.

We found the Mirai dropper in a web console similar to the example in Figure 2 below. We detected this site in a series of high-volume command injection attacks. The site was acting as a malware package archive repository and contained a real-time counter of victims it had infected. This file package also included a Dofloo backdoor and a Linux shell.

Figure 2: A screen capture of the Mirai dropper web console (Source: IBM X-Force)

Calling All Users and Manufacturers!

Addressing the IoT botnet phenomenon is going to require all stakeholders to take steps to secure these devices. This includes home and enterprise users as well as manufacturers. Fortunately, our report offers recommendations for all three groups. We highly encourage readers to review the report for guidelines on how to prevent IoT devices from becoming part of a botnet. If the weaponization of IoT devices into DDoS botnets is the latest malicious trend, then turning them into bitcoin miners may be just around the corner.

Read the complete X-Force Research report: The Weaponization of IoT

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read