New Mirai botnet variant has been very busy, researchers say

Researchers have discovered a new variant of the infamous Mirai malware that compromises smart devices and adds them to a botnet. 

Called V3G4, the variant exploits 13 known vulnerabilities, according to research by Palo Alto Networks’ Unit 42. Mirai typically allows for full control of devices, adding them to its network of remotely controlled bots used to launch distributed denial-of-service (DDoS) attacks.

Mirai primarily targets online consumer devices such as internet protocol cameras and home routers.

The botnet was first found in August 2016 and has been used in some of the largest and most disruptive DDoS attacks, including the cyberattack on security journalist Brian Krebs’ website and an attack on French web host OVH.

Unit 42 tracked the new variant from July until December 2022. The 13 vulnerabilities cited include the widely discussed Atlassian unauthenticated remote code execution vulnerability — CVE-2022-26134 — and a bug in Mitel audio, web and video conferencing products.

The vulnerabilities targeted by V3G4 have less complexity than previously observed variants, according to the research, but they are nonetheless significant as exploitation can lead to remote code execution.

Mirai was also responsible for a 2016 DDoS attack on Domain Name System (DNS) provider Dyn, which involved about 100,000 infected devices. As a result, major internet platforms and services were unavailable to users in Europe and North America. 

Paras Jha, owner of a DDoS mitigation service ProTraf Solutions and the company’s co-founder, Josiah White, are believed to be behind the Mirai botnet.

The new stuff

Like the original version, V3G4 targets exposed servers and networking devices running Linux. The most significant feature the new variant inherited from the original Mirai is a data section that assists in brute force attacks, when hackers try to guess passwords, encryption keys or a passphrase. 

It also has a function that ensures only one instance of the malware is executing on the infected device.

Researchers also noticed that the malware samples from the three campaigns they observed between July and December are slightly different. The original Mirai botnet sample spread itself by brute-forcing weak credentials telnet or Secure Shell — two popular protocols that help computers communicate — whereas the new variant uses both brute-force and embedded exploits to spread themselves.