Threat Research

Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]

Securonix

This guest diary analyzes Mirai activity observed on the DShield honeypot, highlighting repeated attempts to upload Mirai malware to IoT devices with weak credentials. It also covers Mirai’s propagation, persistence in memory, and practical defenses such as log/PCAP collection and regular device updates. Hashtags: #Mirai #DShield #IoT #Telnet #SSH #DNS

Keypoints

  • Mirai activity was observed on a DShield honeypot, with attempts to upload Mirai malware to IoT devices.
  • Mirai primarily targets IoT devices using weak or default credentials to gain access and form a botnet for large-scale DDoS attacks.
  • Mirai uses rapid propagation, memory residency, and a watchdog process to maintain persistence and presence even after attempts to remove its binary.
  • Key Mirai components include CNC servers, a loader, a DNS server, a MySQL database, a scan receiver, and vulnerable IoT devices.
  • Infection and DDoS workflows involve scanning for vulnerable devices, uploading malware, registering bots with CNC, and issuing flood commands via Telnet-based chat between devices and CNC.
  • Defensive recommendations include strong unique passwords, minimizing remote access (Telnet/SSH), regular firmware updates, and comprehensive log/PCAP collection for detection.

MITRE Techniques

  • [T1110] Brute Force – Mirai infiltrates IoT devices through common vulnerabilities, such as weak and default username and password combinations. Quote: “The method in which Mirai infiltrated numerous IoT devices was through common vulnerabilities, such as weak and default username and password combinations.”
  • [T1021] Remote Services – Mirai uses remote services (e.g., Telnet) to interact with compromised devices and forward commands to the CNC server. Quote: “Attacker sends command from Remote Terminal to CNC server via Telnet (step a)”
  • [T1071.004] Command and Control: DNS – New bots retrieve CNC server IP from DNS server. Quote: “New bot retrieves CNC server IP from DNS server”
  • [T1107] File Deletion – Mirai deletes its binary from disk to reduce its footprint and avoid easy discovery. Quote: “Mirai often deletes its binary from the disk to reduce its footprint.”

Indicators of Compromise

  • [File hash] – example malware hashes associated with Mirai indicators: 5466d9405031060ffb564f14b5a263eda12e179287ca4a4a7c94501cd6a25c53, b023af46798a045ce9606318928ed9a96bd64bc25c7279a08b5fee38176e5dc9

Read more: https://isc.sans.edu/diary/rss/30514