1 August 2019

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

Trend Micro researchers discovered a new version of Mirai, one of the most active and dangerous IoT malware families that targets the IoT devices such as IP cameras, home routers and DVRs by taking advantage of open ports and default credentials, exploiting disclosed and non-disclosed vulnerabilities and adds compromised equipment in botnet network for performing distributed denial of service (DDoS) attacks.

One of the most distinct features of this new sample is the use of Tor network to conceal its command and control servers and to avoid detection. While Mirai variants would typically have one to four C&C servers, the researchers have found 30 hard-coded IP addresses in the new sample.

“Executing the sample we had, it sent a specific sequence of “05 01 00”, a socks5 protocol initial handshake message. Next we sent the message to the servers and got the socks5 response “05 00” from the majority of the addresses, confirming that they were socks proxies to the Tor network. This was also checked with a Shodan scan as search results showed the socks proxies running on the servers,” reads the report.

According to Trend Micro, the malware selects a random server from a list as a proxy and establishes the connection with socks5 and queries it to relay packets to a C&C server with the address nd3rwzslqhxibkl7[.]onion:1356 on Tor. If the connection fails, the malware tries to connect using another proxies.

As with other known Mirai variants, the new version has its configuration values encrypted by XOR with 0x22 (34) and embedded in its binary. Also, it scans for random IP address with TCP ports 9527 and 34567 in search of exposed IP cameras and DVRs that are ripe for the taking. Additionally, its configuration contains a list of default credentials that can be used to compromise other hosts.

“While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable. Likewise, the server remains running despite discovery, network traffic can masquerade as legitimate and remains encrypted, and it may not necessarily be blacklisted due to other possible legitimate uses for Tor,” concluded the researchers.

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
Multiple vulnerabilities in FreeBSD
Medium Patched | 21 Aug, 2019
Denial of service in Siemens SCALANCE X Switches
Medium Not Patched | 21 Aug, 2019
Multiple vulnerabilities in Siemens SCALANCE Products
Medium Not Patched | 21 Aug, 2019