Security Architecture, Application security, Application security, Endpoint/Device Security, IoT, Threat Management, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Attackers distill essence of Mirai IoT botnet into LiquorBot malware

Researchers recently uncovered another descendant of the Mirai Internet of Things botnet, this one featuring Monero cryptocurrency mining capabilities.

Dubbed LiquorBot, the botnet malware is written in Go programming language and seems to use the same command-and-control infrastructure as Mirai. Sometimes, attack campaigns have even paired both LiquorBot and Mirai together in malicious dropper scripts, according to Liviu Arsene, global cybersecurity researcher at Bitdefender, in a company blog post this week.

LiquorBot was first observed on May 31, 2019, but has since gone through 12 additional known iterations, with the most recent version dated Oct. 10. The first sample to include the cryptomining functionality was traced to Oct. 1.

According to Bitdefender, LiquorBot spreads via SSH (Secure Shell) brute-forcing and exploitation of at least 12 unpatched vulnerabilities, which largely affect various router brands. The malware targets an array of CPU architectures, including ARM, ARM64, x86, x64 and MIPS. Rather than determining a machine's actual architecture during the infection process, the malicious dropper simply fetches all of its LiquorBot payloads – each one targeting a different architecture – from the command-and-control server and delivers every one of them.

In the blog post, Arsene's says that LiquorBot's use of Go is a point of interest, noting that the developers' choice of programming language carries cerain "programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency."

First appearing in 2016, Mirai was originally used to build a botnet of IoT devices capable of launching crippling distributed denial of service attacks against online targets. Over time, multiple variants have developed, some with added capabilities, such as cryptomining in the case of LiquorBot. Bitdefender notes several similarities between Mirai's and LiquorBot's behavior, including the obfuscation of code strings and the use of a feature that "ensures that a single bot runs on a machine by attempting to bind to a port."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.