Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining

Mirai IoT bot malware is one such piece of malicious coding that created quite a stir within the tech world by converting normal IoT devices into DDoS attack vectors. Originally created by an ex-Rutgers University student, Mirai malware has been resurfacing time and again since its initial launching in September 2016 and every time we get a new version of the malware the devastation gets twofold.

More: Tor Proxy Used By Cybercriminals To Initiate Bitcoin Theft

According to the findings of security researchers at Fortinet’s FortiGuard Labs, a new version of Mirai malware dubbed as OMG is currently spreading, which can convert IoT devices into proxy servers apart from showcasing all the DDoS capabilities of the original version. The capability of turning IoT devices into proxy servers offers the attackers a new way of making money from the malware just like Satori IoT bot malware, which was discovered in December 2017, is capable of mining cryptocurrency instead of launching DDoS attacks.

“With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” explained FortiGuard Labs research team in their official blog post.

To turn IoT devices into proxy servers, OMG uses an open source tool called 3proxy and includes two strings that comprise of a command for adding and another for removing specific firewalls rules so that traffic is redirected on two random ports. The malware also has the ability to search for open ports and destroy any processes that are related to HTTP, telnet, and SSH. It also uses telnet brute-force logins to spread the malicious code.

“This means that it can also do what the original Mirai could i.e. kill processes (related to telnet, ssh, HTTP, by checking open ports and other processes related to other bots), telnet brute-force logins to spread [sic] and DOS attack,” wrote Fortinet researchers.

After it gets installed on a vulnerable IoT device, the malware establishes its contact with the C&C server and labels the compromised system as a new bot. The C&C server analyses the data message and then instructs the bot malware regarding if it has to transform the infected IoT device into a proxy server, launch a DDoS attack through it or terminate the connection.

In its blog post, Fortinet researchers noted that attackers can earn money through proxy servers by selling the access to these compromised servers to hackers and cybercriminals. Proxy servers are valuable to cybercriminals as these provide them a way to stay anonymous while carrying out malicious activities such as invading a network or data stealing. Multiple attacks can be launched via a single source and attackers may get some types of filtering and IP blocking too.

Fortinet further noted that OMG is a unique Mirai version because of its two-dimensional attack options. Gabriel Gumbs, product strategy vice president at STEALTHbits Technologies, stated that proxy servers can be effectively used to cover the “origins of an attack, reconnaissance activity, or for simply re-routing a user’s search for information to sites controlled by someone pushing a specific agenda.” Furthermore, Gumbs added that IoT bots can be useful in facilitating disinformation campaigns.

Image credit: DepositPhotos

More: Hackers behind Mirai botnet & DYN DDoS attacks plead guilty


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.