New Mirai Variant Campaigns are Targeting IoT Devices

Written by

Unit 42, Palo Alto Networks threat research team, has found new malicious activity targeting IoT devices, using a variant of Mirai, a piece of malware that turns networked devices running Linux, typically small IoT devices, into remotely controlled bots that can be used in large-scale network attacks.

Dubbed IZ1H9, this variant was first discovered in August 2018 and has since become one of the most active Mirai variants.

Unit 42 researchers observed on April 10 that a wave of malicious campaigns, all deployed by the same threat actor, have been using IZ1H9 since November 2021. They published a malware analysis on May 25.

Read more: "Hinata" Botnet Could Launch Massive DDoS Attacks

IZ1H9 initially spreads through HTTP, SSH and Telnet protocols.

Once installed on an IoT device, the IZ1H9 botnet client first checks the network portion of the infected device’s IP address – just like the original Mirai. The client avoids execution for a list of IP blocks, including government networks, internet providers and large tech companies.

It then makes its presence visible by printing the word ‘darknet’ to the console.

“The malware also contains a function that ensures the device is running only one instance of this malware. If a botnet process already exists, the botnet client will terminate the current process and start a new one,” Unit 42 explained in the analysis.

The botnet client also contains a list of process names belonging to other Mirai variants and other botnet malware families. The malware checks the running process names on the infected host to terminate them.

The IZ1H9 variant tries to connect to a hard-coded C2 address: 193.47.61[.]75.

Once connected, IZ1H9 will initialize an encrypted string table and retrieve the encrypted strings through an index.

It uses a table key during the string decryption process: 0xBAADF00D. For each encrypted character, the malware performs XOR decryption with the following bytewise operations: cipher_char ^ 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = plain_char.

According to the logic behind the XOR operation, the configuration string key equals to 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = 0xEA.

“The vulnerabilities used by this threat are less complex, but this does not decrease their impact since they could still lead to remote code execution. Once the attacker gains control of a vulnerable device, they can include the newly compromised devices in their botnet. This allows them to conduct further attacks such as distributed denial-of-service (DDoS). To combat this threat, it is highly recommended that patches and updates are applied when possible,” Unit 42 researchers concluded.

What’s hot on Infosecurity Magazine?