New Mirai Variant Uses SSH Brute Force and Hidden Installs to Evade Detection

This version of the malware attempts to gain access to systems by using SSH channels to guess user passwords, and then installs itself in different directories under the hidden folder "z". Commands like "cp" and "chmod" is used to execute the process.

Below are examples of the commands:

• cp /bin/echo /home/.z && >/home/.z && cd /home/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;
• cp /bin/echo /var/tmp/.z && >/var/tmp/.z && cd /var/tmp/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;
• cp /bin/echo /home/.z && >/home/.z && cd /home/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;
• cp /bin/echo /etc/.z && >/etc/.z && cd /etc/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;

This variant also uses the "uname" system call to query DNS lookup.
It executes the "systemctl" command used for controlling the systemd system and service manager.
It also deletes log files, and seems to delete itself at the end of the attack.

The research team has identified three unique hashes for this version of the malware:

• f8ef3fcfba41573fac115af669c0b712dcdf2d38673fb62abce850fa63ac8b83
• d5d15893674012d0caf1323f3dcaf5cba00079b33f4805bfa6283b1500612644
• 04c903b14210f7b38f2ae797755b27e80a37838ebb83976367ac48b258135ed8

Snort rules created by Proofpoint were found in VirusTotal and are related to the discussed above attack:

• ET DROP Dshield Block Listed Source group 1 at Proofpoint Emerging Threats Open
• ET DNS Query for .cc TLD at Proofpoint Emerging Threats Open