New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Come meet us at Black Hat USA 2025 | Booth 1640
Book a Meeting

New Mirai Variant Uses SSH Brute Force and Hidden Installs to Evade Detection

March 28, 2023

This version of the malware attempts to gain access to systems by using SSH channels to guess user passwords, and then installs itself in different directories under the hidden folder "z". Commands like "cp" and "chmod" is used to execute the process.

Below are examples of the commands:

  • cp /bin/echo /home/.z && >/home/.z && cd /home/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;
  • cp /bin/echo /var/tmp/.z && >/var/tmp/.z && cd /var/tmp/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;
  • cp /bin/echo /home/.z && >/home/.z && cd /home/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;
  • cp /bin/echo /etc/.z && >/etc/.z && cd /etc/; rm -rf .i; cp .z .i; cp .i .d; chmod 777 .i; chmod 777 .d;

This variant also uses the "uname" system call to query DNS lookup.
It executes the "systemctl" command used for controlling the systemd system and service manager.
It also deletes log files, and seems to delete itself at the end of the attack.

The research team has identified three unique hashes for this version of the malware:

  • f8ef3fcfba41573fac115af669c0b712dcdf2d38673fb62abce850fa63ac8b83
  • d5d15893674012d0caf1323f3dcaf5cba00079b33f4805bfa6283b1500612644
  • 04c903b14210f7b38f2ae797755b27e80a37838ebb83976367ac48b258135ed8

Snort rules created by Proofpoint were found in VirusTotal and are related to the discussed above attack:

  • ET DROP Dshield Block Listed Source group 1 at Proofpoint Emerging Threats Open
  • ET DNS Query for .cc TLD at Proofpoint Emerging Threats Open