Mirai is a long-running IoT botnet that spreads by brute-forcing weak/default credentials and by exploiting multiple device vulnerabilities, spawning variants such as Hajime, Sylveon, and NoaBot. It recruits infected devices to perform DDoS or mining activities via C2 channels over TCP/TLS, with evolving capabilities over the years. #Mirai #KrebsOnSecurity #Hajime #Sylveon #NoaBot #ZyxelNAS #ComtrendVR-3033 #Spring4Shell
Keypoints
- Mirai is a long-running IoT botnet that has evolved through variants like Hajime, Sylveon, and NoaBot, infecting hundreds of thousands of devices.
- Its operation follows four stages: internet-wide scanning for vulnerable devices, login with common credentials, download and execute payload, then recruit more devices to launch attacks.
- Mirai communications with its C2 typically use TCP, with TLS-capable variants observed.
- Mirai has been known to kill or suppress other botnets (e.g., Gafgyt) on infected devices to maintain control.
- Major vulnerabilities have been exploited by Mirai (CVE-2020-9054 in Zyxel NAS, CVE-2020-10173 in Comtrend VR-3033, CVE-2022-22965 Spring4Shell) to widen its reach.
- Many Mirai variants use UPX packing to hinder analysis and keep payloads lightweight.
- NoaBot (2024) marks a shift to SSH brute forcing and turning devices into crypto-miners rather than performing DDoS.
MITRE Techniques
- [T1046] Network Service Scanning – Mirai scans the internet for vulnerable IoT devices by sending TCP probes to IPv4 addresses. ‘scanning the internet for vulnerable IoT devices by sending TCP probes to IPv4 addresses’
- [T1110] Brute Force – It identifies potential victims by attempting to log in using a list of popular credentials. ‘it attempts to log in using a list of popular credentials’
- [T1105] Ingress Tool Transfer – The loader downloads and executes a malicious program on the device from a C2 server or via P2P. ‘downloads its binary from a C2server or through a peer-to-peer network onto the infected system’
- [T1203] Exploitation for Client Execution – Exploits vulnerabilities (e.g., CVE-2020-9054) to take control of devices. ‘took advantage of a security flaw (CVE-2020-9054) … to inject malicious commands and take control of devices’
- [T1547] Boot or Logon Autostart Execution – Modifies startup scripts or cron jobs to ensure reboot persistence. ‘modify system startup scripts or use cron jobs to ensure it is executed on system reboot’
- [T1562.001] Impair Defenses – Attempts to disable security software on the infected device. ‘disable security software’
- [T1569.002] Service Stop – Terminates competing malware processes (e.g., Gafgyt) to maintain control. ‘kill any processes associated with the activity of other botnets’
- [T1027] Obfuscated/Compressed Files and Information – Uses modified UPX packing to hinder analysis. ‘modified UPX packing to complicate the analysis process’
- [T1071.001] Web Protocols – C2 communication over TCP with TLS-capable variants. ‘The malware usually communicates with the command-and-control (C2) over the TCP protocol. Yet, there are also TLS-capable variants’
- [T1496] Resource Hijacking – NoaBot crypto-mining variant turns infected devices into mining machines. ‘NoaBot … leverages SSH login brute forcing capabilities. Instead of launching DDoS attacks, it turns infected devices into crypto-mining machines’
Indicators of Compromise
- [Vulnerability] CVE-2020-9054, CVE-2020-10173, CVE-2022-22965 – Mirai exploited these vulnerabilities in Zyxel NAS devices, Comtrend VR-3033 routers, and to leverage Spring4Shell in 2022.
- [Malware Variant] Hajime, Sylveon – Variants observed as part of Mirai’s evolution.
- [Malware Variant] NoaBot – 2024 variant using SSH brute forcing and crypto-mining instead of DDoS.
Read more: https://any.run/malware-trends/mirai