Mirai Variant Cross-Compiles Attack Code with Aboriginal Linux

The approach makes Mirai executable on a wide variety of disparate IoT devices and platforms from a single server.

Criminals behind a Mirai botnet have been spotted using an unusual technique: Leveraging an open-source project called Aboriginal Linux to create a compiled binary, with versions of the malware tailored to each targeted platform.

The malware authors are leveraging Aboriginal – a legitimate tool for cross-compilation – to make Mirai executable on a wide variety of internet of things (IoT) devices and platforms, including routers, IP cameras, connected devices and Android devices.

“One of the major pain points for a cross-platform IoT botnet is portability,” wrote Dinesh Venkatesan, principal threat analysis engineer at Symantec, in an writeup Thursday. “The malware must be able to run on different architectures and platforms in a self-contained capsule without any runtime surprises or misconfiguration. This is also an area where many inexperienced malware authors, or script-kiddies, fail if they simply copy/paste and reuse the existing malware code base.”

Using Aboriginal “makes the process of easy, effective, and practically fail-proof,” he added.

Venkatesan found a live remote server hosting multiple Mirai variants, each for a specific platform, in late July. He saw that the server aimed shell script at vulnerable devices, which then started downloading and executing a series of individual executables until one that was capable of infecting the specific platform was found. That file in turn downloaded the Mirai payload.

The successfully executed executable file is responsible for the actual Mirai payload, such as enumerating a list of IP addresses by creating a list of random addresses and scanning for devices with default credentials, or vulnerabilities. Thus, the same botnet could use, say, an ARM7 malware variant running on an Android device, as well as one using Debian ARM.

The functionality is otherwise standard Mirai fare, according to Venkatesan.

“For example, when I executed the sample in a contained environment, it attempted to scan more than 500,000 IP addresses generated through the random generation process previously described, and then tried to send raw packet data over port 23,” he said.

The discovery marks yet another progression of Mirai – the malware has been morphing and adding sophistication since its source code was leaked in 2016, shortly after it burst on the scene with a head-turning DDoS attack that took out DNS provider Dyn, taking major sites like Spotify, Reddit and Twitter offline. It was also responsible for a 620Gbps DDoS attack on Krebs on Security, and even took the entire nation of Liberia offline for a while.

For instance, in April a Mirai botnet was used to launch a series of DDoS campaigns against the financial sector, using the relatively small number of 13,000 hijacked IoT devices (many IoT botnets number in the millions of endpoints). The notable aspect of it were its characteristics that link it to IoTroop (a.k.a. Reaper) botnet first identified October 2017. The IoTroop code allows the malware to be updated on the fly.

Meanwhile, its tactic of marshalling vulnerable IoT devices has allowed Mirai and its many variants to attack with increasing regularity.

“As it is, the IoT market is hugely fragmented and most of the devices do not receive software patches for the known vulnerabilities,” said Venkatesan. “To make things worse, the malware authors continue to evolve these variants, making the malware more powerful and portable across different platforms and architectures.”

Suggested articles

Discussion

  • R4pt0r on

    Is this indeed using Aboriginal? This project was closed over a year ago and development before that was had slowed down. I believe that the Mirai botnet operator are levering the project mkroot (https://github.com/landley/mkroot). This project is developed by the same lead developer. Also this would make more since as this is current maintained and still only a 30KB download from GitHub.
    • Tara Seals on

      Thanks so much for the info! I actually reached out to Symantec to see what they thought (they did the original research) -- I'll report back if they respond.
  • R4pt0r on

    Thank you
    • Tara Seals on

      Hi there -- the researcher who authored the Mirai blog, Dinesh Venkatesan, sent over this response: "Yes, we observed the traces of Aboriginal Linux and the deliverables adhering to the conventions, too. While we know that the project was closed and replaced with mkroot, that wouldn’t necessarily deter the malware creators from using an outdated project. "In fact, this technique is becoming a trend among malware authors as more and more variants emerge. One key advantage to using an old project is stability and avoiding mis-configuration errors during runtime. For example, many of the earlier Mirai variants failed to run on Android devices, whereas these variants run seamlessly when executed as a standalone command." I hope that's helpful!

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.