New Mirai Variant Targets Billions of ARC-Based Endpoints

Written by

Security experts are warning of a new Mirai variant targeting ARC processors, which could have an even bigger impact than the notorious malware on which it is based.

RISC-based ARC processors are widely used in IoT and embedded systems and said to be shipped in over 1.5 billion products each year.

The new threat — named Okiru, which is Japanese for “wake up” — was first spotted by MalwareMustDie researcher @unixfreaxjp and touted as the first ever malware developed for ARC systems.

At the time of writing, 20/59 AV tools on VirusTotal detected the ELF malware threat.

Another researcher, Odisseus, tweeted the findings:

“This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet.”

However, it’s important to note that this Okiru is not the same one as that also linked to the Satori IoT botnet used to attack Huawei routers last month.

A Reddit thread explains the differences.

“Okiru variant's config is encrypted in two parts w/ telnet bombardment password encrypted, Satori does not split it in 2parts and doesn't encrypt brute default passwords,” it explains. “Also Okiru's telnet attack login information is a bit longer (can be up to 114 credentials, max counted), while Satori is having different and shorter database.”

Mirai caused huge damage when it was made open source in 2016, compromising IoT devices protected only by default credentials and conscripting them into a botnet.

Despite comprising little more than 100,000 endpoints, it managed to take some of the internet’s biggest names offline after hitting service provider Dyn.

There’s the potential to wreak even more havoc for businesses around the world if it can do the same to ARC-based endpoints.

What’s hot on Infosecurity Magazine?