The developers behind the Mirai botnet have recompiled the malware so it can take advantage of a wider group of processors/architectures and upgraded with a new encryption algorithm.
Palo Alto Networks Unit 42 in February found samples of Mirai compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors, which primarily are used to power Iot device. The malware was previously found altered in January 2018 to work with ARC chips. Mirai’s open-source nature allows for it to be compiled enabling it to be affected against a growing list of processors
“If the latest innovations lead to an increase in the number of infected devices, that means that Mirai attackers would have access to additional firepower for use in denial of service attacks,” wrote Unit 42’s Ruchna Nigam
In this latest incarnation Mirai now uses a modified version of the byte-wise XOR and now uses 11 8-byte keys, all of which are cumulatively byte-wise “XOR-ed” to get the final resulting key, the report said.
The developers made another change that somewhat puzzled the Unit 42 team. They switched the attack method to attack_method_ovh from attack_method_tcpsyn, which was in the original Mirai source code. However, the exact same attack parameters were kept, but the Talos researchers could not understand the benefit of this change.