CrowdStrike data show Mirai variants built for Intel-powered Linux systems more than doubling in Q1 2022 versus Q1 2021, with 32-bit x86 builds rising the most. Mirai continues to expand across Linux devices—from IoT to servers—by exploiting unpatched flaws such as Log4j to grow botnets for DDoS and other malicious uses, while adding evasion and propagation enhancements.
Keypoints
- Mirai variants compiled for Intel-powered Linux systems increased by 101% in Q1 2022 vs Q1 2021.
- 32-bit x86 Mirai variants showed the largest growth, up 120% in Q1 2022 vs Q1 2021.
- Mirai is used to compromise internet-connected devices, form botnets, and conduct distributed denial-of-service (DDoS) attacks.
- Mirai variants continue to evolve, targeting unpatched vulnerabilities to expand the attack surface.
- ARM remains the most prevalent architecture among Mirai variants, but 32-bit x86 variants gained significant traction on Linux servers and networking gear; overall, variants across 32- and 64-bit x86 grew 101% on average.
- Beyond DDoS, Mirai botnets can function as proxy networks or for cryptocurrency mining, illustrating multiple malicious use cases.
MITRE Techniques
- [T1110] Brute Force – Brute-force credentials spread Mirai to internet-connected devices. Quote: ‘brute-force attacks to log in to internet-connected devices remain a preferred method for spreading various Mirai variants.’
- [T1190] Exploit Public-Facing Application – Mirai variant exploiting the Log4Shell vulnerability. Quote: ‘the Mirai variant exploiting the Log4Shell vulnerability (8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e)’.
- [T1070.004] File Deletion – Self-deleting the executable. Quote: ‘self-deleting the executable; changing the process name and the command line to avoid detection.’
- [T1036] Masquerading – Changing the process name and the command line to avoid detection. Quote: ‘changing the process name and the command line to avoid detection.’
- [T1562.001] Impair Defenses – Stopping processes associated with remote administration tools like SSH and Telnet; stopping “competing” malware processes. Quote: ‘stopping processes associated with remote administration tools like SSH and Telnet; stopping “competing” malware processes.’
- [T1046] Network Service Scanning – Searching for new targets to infect. Quote: ‘searching for new targets to infect.’
- [T1071] Command and Control – Centralized Client-Server botnet infrastructure. Quote: ‘Figure 2. Example of Centralized Client-Server botnet infrastructure’.
Indicators of Compromise
- [Hash] Mirai variant hashes and related identifiers – Mirai variant hashes and associated features (examples): 0a38acadeb41536f65ed89f84cc1620fb79c9b916e0d83f2db543e12fbfd0d8c, bc5f1b69b6edfd58a56b104568cb73fe74ccefea6651b1a1bcf7613331b56597, and 7 more hashes
Read more: https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/