New Miori Variant Uses Unique Protocol to Communicate with C&C

By: Makoto Shimamura, Cyber Threat Research Team

We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses a text-based protocol to communicate with its C&C.

Miori’s unique protocol

Typical Mirai variants communicate with their respective C&Cs using a binary-based protocol. In that scenario, the C&C server would display a login prompt to get into the console that the attacker uses. The C&C server assumes that anyone who connects to the C&C server is the attacker trying to access the console, so that the login prompt asking for the username and password is displayed, as seen in Figure 1.

Figure 1. Example of a Mirai C&C login prompt

This is not the case for this new Miori variant. When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the cybercriminals behind the variant are wary of security researchers’ usual methods.

Figure 2. Message displayed after attempting to connect to the C&C console

This prompted us to try to see where the change was made in this campaign. We analyzed the protocol used by the malware, and discovered that it is text-based. Its C&C should receive a specific string before allowing anyone access to its console, unlike older Mirai variants. If that string is not received, then it displays the message shown above.

We also discovered that it uses a protocol (illustrated in Figure 3) for receiving encrypted commands, which is not present in older variants. As it waits for these commands, it simultaneously scans for vulnerable telnets hosts to propagate.

Figure 3. Protocol of the Miori variant

Figure 4. Snapshot of the malicious code used to communicate with the C&C server

This malware variant used a simple substitution method for its encryption, with the correspondence table hard-coded in the malware code for decryption.

Figure 5. Example of correspondence table of the substitution cipher found in the code

Further analysis allowed us to find encrypted attack commands. Similar strings, as seen in Figure 6, likely indicate the attack command sent to the malware variant through the C&C server. In the figure, the strings show a command for executing a UDP Flood attack. We could assume that an attacker can use this command to specify destination IP, port, time, and packet size.

Figure 6. Sample attack command string found during the analysis

Aside from the sample command, TCP Flood attack, attack termination, and process termination commands were also found.

Similarity with other Mirai variants

One similarity it does share with other Mirai variants is that XOR was used to encrypt a part of its configuration data and the list of telnet/SSH credentials used for the malware’s brute-force capabilities.

However, the configuration data was divided and stored separately, some of which used decoding methods that had not been used in older Mirai variants.

We also couldn’t find the string “: applet not found” in the configuration data, which is one of the identifiers of a Mirai variant. This could indicate that the cybercriminals behind this campaign are consciously removing the usual indicators of a Mirai attack to confuse security researchers. This string was used to verify a successful infection in older variants, but in this variant, the success is verified by a different configuration data, as illustrated by the figure below.

Figure 7. Echo command and its output used to verify infection success


As mentioned earlier, this Miori variant can scan for vulnerable telnet hosts, and send their IP address and account information to the C&C server. Like earlier Mirai variants, this malware sends and executes a malicious script in a vulnerable host.

We were able to identify the malicious script used for spreading this malware in the architecture of the execution host. Arguments can be specified at runtime, so it would be possible to control the attack enough to be different campaigns through the input of different arguments at malware runtime.

Figure 8. Snapshot of the malicious script that spreads the malware in the vulnerable telnet host

Source code sale site

Examining the strings used in this sample also revealed a message containing the URL of the site that sells the malware’s source code. Checking the site showed that the source code is being sold for US$110.

Figure 9. The source code sale site

The site appears to be built using the legitimate e-commerce service called Selly. However, it is may also be a fraudulent page that won’t deliver the source code after a buyer pays the given price.

Conclusion and security recommendations

The Mirai malware family can be considered the original IoT malware. Its effectivity motivates attackers to develop different variants. In this case, however, significant changes in its protocol and storage method of configuration data could indicate that this Miori variant is not just a new Mirai variant. It could be a new malware trying to appear as a Mirai variant to elude detection and to make its analysis difficult.

Regardless of the reason behind its design, the malware’s routine is generally similar to typical Mirai variants: infect vulnerable IoT devices and use them as platforms for launching a DDoS attack. These differences also emphasize the necessity of keeping up with evolving IoT malware in the future.

Users can reduce the impact of such schemes by applying the right patches and updates for their deployed devices. As this malware acts like a typical Mirai variant, making sure to change default credentials with tougher security in mind can reduce the possibility of unauthorized access and success of brute force attacks.  Locating devices in secure areas can also prevent security issues stemming from physical tampering.

Trend Micro Solutions

Trend Micro Smart Home Network provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more.

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect these kinds of attacks even without engine or pattern updates. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

SHA256 Filename Detection name
07200eed2edb30665807e641b2290767a40b5bc76f7a035249dee596a982730c miori.arm5 Backdoor.Linux.MIRAI.VWIQI
0a11ec9408298267e8a016a2f4cbf775db961f16e009ddc66279a41d919916fd sh Trojan.SH.MIRAI.BNW
0a2843d1ba842de52795185d11deae5962e869cca0e4b927c3150d49fd576bec miori.spc Backdoor.Linux.MIRAI.VWIQI
0e841443e378a6abd9b9bd51177286f36f421bd5949c28c661e40c187b1b597b miori.m68k Backdoor.Linux.MIRAI.VWIQI
376536260aa2bf5d8a8155e1a778b547a86575aaadfe5546907eaf34f56d913e miori.ppc Backdoor.Linux.MIRAI.VWIQI
6a67af76bdc7ad14d5bf5940786bc73812581108810075d0ee07683d6a6939c0 miori.arm Backdoor.Linux.MIRAI.VWIQI
739c96713ef797a4fbf204b6b62e31ff9a204f66878aeb330631801f4ee87a24 miori.sh4 Backdoor.Linux.MIRAI.VWIQI
86bd270b3e9bc43f8f6bc2e5b0cf5c627ccb2d9e972cfc21fd1faf187d356b43 miori.mips Backdoor.Linux.MIRAI.VWIQI
9f551b1dd0aa5f50d0715f482448d650a2a4dd2e6fb3b2272e2a69d0791d5633 miori.x86 Backdoor.Linux.MIRAI.VWIQI
c0afc9278c68f75643513987a1d2366f651c4187e1cb1019249f7b0a2d8a1675 miori.arm6 Backdoor.Linux.MIRAI.VWIQI
dc330cb226e7cc5f14750c91b790c118aaf12116fb77085b34a829b58cdb666c miori.mpsl Backdoor.Linux.MIRAI.VWIQI
e086aad1088cd5204f18420e4f953c77c773195226410ca91723345bc539a044 miori.arm7 Backdoor.Linux.MIRAI.VWIQI
URL Description
185[.]244[.]39[.]74:10019 C&C server

The post New Miori Variant Uses Unique Protocol to Communicate with C&C appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro