A newly discovered variant of the Mirai Internet of Things botnet is specifically designed to attack the ubiquitous 32-bit embedded Argonaut RISC Core processor from ARC International, which can be found in well over a billion storage, home, mobile, automotive, and IoT devices.
Word of this troublesome development surfaced just days before researchers revealed that another Mirai botnet descendant, Satori, is now being used by a threat actor to steal Ethereum cryptocurrency by hacking into online mining hosts and secretly replacing their wallets.
News of Okiru (which translates to "get up" in English) appears to have first arrived via a Jan. 14 tweet from independent security researcher "Odisseus," who credited fellow researcher "UnixFreaxj" from security workgroup Malware Must Die with finding the ARC-targeting botnet malware.
“From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT devices more than 1 billion per year,” Odisseus tweeted. “So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It's a serious threat…”
Quoting Malware Must Die researchers, a report from The Register further warns that an analysis of Okiru revealed that its operators have been “preparing ARC binary specifically to target one particular Linux environment.”
With that in mind, is it possible that an Okiru-fueled DDoS assault against ARC-based machines could rival the size and scope of the infamous Mirai attack that disrupted Dyn?
“Due to there being over a billion likely ARC devices out there, there is definitely potential for us to see dramatically raised botnet numbers due to this development,” said Daniel Miessler, director of advisory services at IOActive, in an interview with SC Media. “But it's not always a straight line from potential to reality, as there are many variables such as percentage of devices exposed, patch levels, malware robustness, speed of security response, etc. So it's pretty hard to know if this will actually lead to a Dyn-level or greater situation, but the potential attack surface of ARC devices does make it a possibility.”
Meanwhile, Okiru's cousin Satori is busy causing its own brand of mischief. (Reportedly, Satori malware has at times been previously referred to as Okiru, but the Okiru malware targeting ARC processors is markedly different, and not to be used interchangeably with Satori.)
Despite a largely successful effort to sinkhole Satori botnet after it was uncovered late last year, researchers from Qihoo 360's Netlab team discovered on Jan. 8 that a new variant named Satori.Coin.Robber was starting to rebuild its own version of the malicious network.
According to a Jan. 17 Qihoo blog post, the botnet targets devices primarily Windows-based machines running Claymore Dual GPU miner software, hacking them by exploiting a vulnerability affecting Port 3333. “It works primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config),” Qihoo reported, withholding additional details for security reasons. (Qihoo also warned that Claymore v.10.1 users are vulnerable to an exploit that leverages CVE-2017-16929, an authenticated directory traversal vulnerability.)
The researchers also determined that as of Jan. 11, "Satori.Coin.Robber has got the first ETH coin paid... with another 0.76 coin in the balance. Although this total amounts to a relatively paltry sum – as of Jan. 18, one Ethereum is worth just over $1,000 – the implications of using an IoT botnet to target cryptocurrency enthusiasts is nonetheless an intriguing development.
Oddly, Qihoo also reported that the author of Satori.Coin.Robber is publicly claiming his code is not malicious, even providing an email at which he or she purportedly can be contacted.
Mirai-inspired botnet malware like Satori and Okiru were made possible after one of Mirai's original developers, Paras Jha, from Fanwood, N.J., released its code to the public shortly after performing an attack on security researcher Brian Krebs on Sept. 20, 2016. On Dec. 13, 2017, Jha pleaded guilty to federal charges stemming from Mirai's creation, along with Josiah White, of Washington, Penn. and Dalton Norman of Metairie, La.
“Once malware becomes public, it is very common for other malware creators or sometimes the originators to create variations to both foil detection systems and specifically target new systems,” said Mike Ahmadi, global director of IoT Security at DigiCert, in emailed comments. “It is important to understand that the development community for malware is just as active and often more driven to create ‘improved' versions as the conventional software industry is. System builders and device manufacturers need to have a greater focus on implementing mitigation's and controls that address the root issues that allow malware to flourish, rather than focusing on addressing the malware ‘flavour du jour.'”