Cymulate’s research team has discovered a new in the wild variant of the notorious Mirai malware. This version attempts to gain access to systems by guessing user passwords via SSH channels and then installs itself in various directories under the hidden folder “z”. It then executes various commands such as “cp” and “chmod” to carry out its malicious activities.
Mirai New Variant Attack Methods
The new Mirai malware variant, originating from the primary IP 171.22.136.15, communicates with 109.206.243.207. This version uses various techniques to gain access to systems, such as SSH brute force attacks, to guess user passwords. The malware payload then installs itself in different directories under the hidden folder “z” by executing commands like “cp” and “chmod.” This approach enables the malware to evade detection by hiding within legitimate files and directories.
The New Mirai Variant Unique Features
The new Mirai malware variant uses the “uname” system call to query DNS lookup and execute the “systemctl” command, which controls the systemd system and service manager. Additionally, the malware deletes log files and appears to delete itself at the end of the attack.
This new variant of the Mirai malware has been identified by Cymulate with three unique hashes:
- f8ef3fcfba41573fac115af669c0b712dcdf2d38673fb62abce850fa63ac8b83
- d5d15893674012d0caf1323f3dcaf5cba00079b33f4805bfa6283b1500612644
- 04c903b14210f7b38f2ae797755b27e80a37838ebb83976367ac48b258135ed8
In addition to Cymulate’s discovery of the new Mirai malware variant, Snort rules created by Proofpoint were found in VirusTotal, related to the discussed above attack. These rules include:
ET DROP Dshield Block Listed Source group 1 at Proofpoint Emerging Threats Open
ET DNS Query for .cc TLD at Proofpoint Emerging Threats Open
These rules can aid in detecting and preventing the new Mirai malware variant by identifying its malicious activities. It is essential for organizations to incorporate these rules into their cybersecurity defenses to stay protected from such attacks. And check with cybersecurity vendors and partners to ensure that their defenses are up-to-date with these Mirai IoCs.
Checking resilience against Mirai
Cymulate Immediate Threat Intelligence Module already has a test ready to run.
Impact on Cybersecurity
This new variant of the Mirai malware poses a significant threat to cybersecurity due to its ability to evade detection by hiding within legitimate files and directories. Its use of SSH brute force attacks to gain access to systems highlights the importance of strong and unique passwords to prevent unauthorized access to systems. Moreover, the malware’s use of the “systemctl” command emphasizes the need for organizations to have robust system and service management practices to prevent such attacks.