Malware warning sign Malware warning sign-mask

New Mirai Variant Discovered by Cymulate   

Cymulate’s research team has discovered a new in the wild variant of the notorious Mirai malware. This version attempts to gain access to systems by guessing user passwords via SSH channels and then installs itself in various directories under the hidden folder “z”. It then executes various commands such as “cp” and “chmod” to carry out its malicious activities.  

Mirai New Variant Attack Methods 

The new Mirai malware variant, originating from the primary IP 171.22.136.15, communicates with 109.206.243.207. This version uses various techniques to gain access to systems, such as SSH brute force attacks, to guess user passwords. The malware payload then installs itself in different directories under the hidden folder “z” by executing commands like “cp” and “chmod.” This approach enables the malware to evade detection by hiding within legitimate files and directories. 


 

The New Mirai Variant Unique Features

The new Mirai malware variant uses the “uname” system call to query DNS lookup and execute the “systemctl” command, which controls the systemd system and service manager. Additionally, the malware deletes log files and appears to delete itself at the end of the attack.  

This new variant of the Mirai malware has been identified by Cymulate with three unique hashes: 

 

  • f8ef3fcfba41573fac115af669c0b712dcdf2d38673fb62abce850fa63ac8b83 
  • d5d15893674012d0caf1323f3dcaf5cba00079b33f4805bfa6283b1500612644 
  • 04c903b14210f7b38f2ae797755b27e80a37838ebb83976367ac48b258135ed8 

In addition to Cymulate’s discovery of the new Mirai malware variant, Snort rules created by Proofpoint were found in VirusTotal, related to the discussed above attack. These rules include: 

 

ET DROP Dshield Block Listed Source group 1 at Proofpoint Emerging Threats Open 

ET DNS Query for .cc TLD at Proofpoint Emerging Threats Open 

 

These rules can aid in detecting and preventing the new Mirai malware variant by identifying its malicious activities. It is essential for organizations to incorporate these rules into their cybersecurity defenses to stay protected from such attacks. And check with cybersecurity vendors and partners to ensure that their defenses are up-to-date with these Mirai IoCs. 

 

Checking resilience against Mirai  

 

Cymulate Immediate Threat Intelligence Module already has a test ready to run. 

 

Impact on Cybersecurity 

This new variant of the Mirai malware poses a significant threat to cybersecurity due to its ability to evade detection by hiding within legitimate files and directories. Its use of SSH brute force attacks to gain access to systems highlights the importance of strong and unique passwords to prevent unauthorized access to systems. Moreover, the malware’s use of the “systemctl” command emphasizes the need for organizations to have robust system and service management practices to prevent such attacks. 

 

Free 14 days trial

Related Resources

Blog

Explanation of Log4Shell Attack

Breaking down the Log4j attack and sharing remediation prevention.

READ MORE arrow icon

Live Demo

Responding to Major Vulnerabilities

Learn how to run vulnerability discovery, validate your security controls, and how to prioritize vulnerability patching and minimize risk exposure.

REGISTER NOW arrow icon

Blog

Addressing Log4j Vulnerability

Cymulate provides four critical methodologies to determine if your organization is at risk.

READ MORE arrow icon