Researchers recently uncovered another descendant of the Mirai Internet of Things botnet, this one featuring Monero cryptocurrency mining capabilities.
Dubbed LiquorBot, the botnet malware is written in Go programming language and seems to use the same command-and-control infrastructure as Mirai. Sometimes, attack campaigns have even paired both LiquorBot and Mirai together in malicious dropper scripts, according to Liviu Arsene, global cybersecurity researcher at Bitdefender, in a company blog post this week.
LiquorBot was first observed on May 31, 2019, but has since gone through 12 additional known iterations, with the most recent version dated Oct. 10. The first sample to include the cryptomining functionality was traced to Oct. 1.
According to Bitdefender, LiquorBot spreads via SSH (Secure Shell) brute-forcing and exploitation of at least 12 unpatched vulnerabilities, which largely affect various router brands. The malware targets an array of CPU architectures, including ARM, ARM64, x86, x64 and MIPS. Rather than determining a machine's actual architecture during the infection process, the malicious dropper simply fetches all of its LiquorBot payloads – each one targeting a different architecture – from the command-and-control server and delivers every one of them.
In the blog post, Arsene's says that LiquorBot's use of Go is a point of interest, noting that the developers' choice of programming language carries cerain "programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency."
First appearing in 2016, Mirai was originally used to build a botnet of IoT devices capable of launching crippling distributed denial of service attacks against online targets. Over time, multiple variants have developed, some with added capabilities, such as cryptomining in the case of LiquorBot. Bitdefender notes several similarities between Mirai's and LiquorBot's behavior, including the obfuscation of code strings and the use of a feature that "ensures that a single bot runs on a machine by attempting to bind to a port."