A newly discovered variant of Mirai botnet malware forces infected devices to act as proxy servers capable of protecting the anonymity of cybercriminals engaging in illegal activities.
Fortinet’s FortiGuard Labs research team, which uncovered the threat, believes the botnet operator may be selling credential access to these proxies for profit. This theory gibes with Fortinet’s observation that many recent Mirai modifications have introduced for financial gain, rather than to support Mirai’s original purpose of launching distributed denial of service (DDoS) attacks. (Earlier this year, for instance, researchers reported that the Mirai-based Satori IoT botnet was being used to steal Ethereum cryptocurrency from mining wallets.)
“This is the first time we have seen a modified Mirai capable of DDoS attacks as well as setting up proxy servers on vulnerable IoT devices,” states a Feb. 21 Fortinet blog post, authored by researchers Jasper Manuel, Rommel Joven, Dario Durando. “With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization.”
“The sample we analyzed is quite new and was seen in January 2018,” added Joven, in emailed comments supplied to SC Media.
Minh Tran, senior security researcher at FortiGuard Labs, forecasted other possible ways that Mirai-variant botnets could be leveraged in the future to make money. “In general, there are really a lot of possibilities,” said Tran in an email interview with SC Media. “If we consider how other malware evolved in the past [they could] use the bots to relay spam, which is still a popular medium to deliver most malwares… including ransomwares.”
In addition infected devices could be used as command-and-control servers, Tran added, or we could see more being used to run cryptominers, especially those that don’t use require processing power.
According to the Fortinet report, OMG still includes the original Mirai modules that kill processes, scan for vulnerable telnet systems, use brute-force login attacks to gain credential access, and execute DDoS attacks. But it also uses two random ports to set up 3proxy, a free open-source universal proxy server.
Traffic is allowed to flow through these two random ports (one for HTTP, one for SOCKS) due to a firewall rule, composed of two code strings, that OMG’s programmers added to Mirai’s original configuration table.
Upon connecting to the command-and-control server, OMG sends transmits a defined data message that identifies the infected device as a new bot recruit. Based upon this code, the C&C server then responds with a five-byte-long data string that includes a command for whether to act as a proxy server, launch an attack or terminate the connection.