Developers behind a newly discovered variant of the Mirai Internet of Things botnet malware have expanded their target list, placing a greater emphasis on high-bandwidth enterprise devices that are potentially capable of launching heavy-duty distributed denial of service attacks.

Detected by the Palo Alto Networks Unit 42 threat research team, the botnet still attempts to infect consumer devices like its predecessors, but the move toward enterprise IoT devices could augur future DDoS assaults that rival or surpass previous Mirai attacks like the one that disrupted the operations of Domain Name System provider Dyn in 2016.

The new malware variant, which has no nickname, includes 27 exploits 11 of which have never been seen before in a Mirai variant along with new credentials for brute forcing devices. Among the new additions are exploits for the WePresent WiPG-1000 Wireless Presentation System and the LG Supersign TVs digital signage solution, both of which are typically used by businesses. “This development indicates to us a potential shift to using Mirai to target enterprises” for compromise, according to a March 18 blog post penned by researcher Ruchna Nigam.

The last time Unit 42 noticed a similar trend was in September 2018, when company researchers reported that variants of Mirai and fellow IoT botnet Gafgyt (aka Bashlite) were respectively exploiting vulnerabilities in the Apache Struts open-source web application framework and SonicWall’s Global Management System.

The nine other new Mirai exploits target video cameras and routers from D-Link; routers from Zyxel; and, modems, routers, wireless access points and wireless controllers from Netgear.

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” Nigam wrote in the blog post, adding that the variant can also be commanded to sent out HTTP Flood DDoS attacks that bombard web servers or applications with HTTP GET or POST requests.

Researchers found the malicious payload hosted on a compromised website advertising a Colombian electronic security integration and alarm monitoring business. Further revealed additional samples hosted at a different IP address that also harbored some instances of Gafgyt.