A variant of the Mirai botnet was used to launch a series of distributed denial of service campaigns against financial sector businesses. The attacks utilized at least 13,000 hijacked IoT devices generating traffic volumes up to 30 Gbps, considerably less intense than the original Mirai assaults clocked at 620 Gbps.
Researchers at Recorded Future first reported the attacks on Thursday in a technical breakdown of the malware. They said the Mirai botnet and malware variant also exhibited characteristics that may link it to IoTroop botnet (or Reaper), first identified October 2017.
The most recent attacks spotted by Recorded Future took place between Jan. 27 through 28. They reported three distinct attacks. The first attack utilized a DNS amplification technique with traffic volumes peaking at 30 Gbps. Researchers are unsure what the volumes of subsequent attacks were.
“If these attacks were conducted by IoTroop, then our observations indicate the botnet has evolved since October 2017 to exploit vulnerabilities in additional IoT devices and is likely to continue to do so to propagate the botnet and facilitate larger DDoS attacks,” wrote Priscilla Moriuchi and Sanil Chohan, who co-authored the report.
IoTroop shares some of Mirai’s code, according to a previous analysis of the malware. Similar to Mirai, the malware targets poorly protected network-connected devices such as wireless IP cameras, manufactured by companies including TP-Link, Avtech, MikroTik, Linksys, Synology and GoAhead.
Recorded Future noted this latest variant of Mirai differs from the original Mirai and IoTroop malware. Mirai and IoTroop are names for both the botnet and the malware used to infect the IoT devices.
“While many of the IoT vendors and devices appeared in the (IoTroop) research published in October 2017, many of the devices such as Dahua CCTV DVRs, Samsung UE55D7000 TVs and Contiki-based devices were previously unknown to be vulnerable to Reaper/IoTroop malware,” researchers said.
Making this latest unnamed Mirai variant even more potent is the use of IoTroop code that allows the malware to be updated on the fly. “[IoTroop] was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available,” researchers said.
Financial targets are geographically spread across Russia, Brazil and Ukraine, where vulnerable IoT devices are concentrated, researchers said.
“As more data comes to light on the continued targeting of financial institutions from IoTroop, it will become increasingly important to monitor the potential controllers and identify new IoT devices being added to the botnet in preparation for further attacks,” researchers said.
Since the October 2016 release of the Mirai source code, a number of malware variants have cropped up. Following the Mirai source code release a Linux-based botnet targeted weak telnet credentials, and communicated with hacked devices over IRC. In November 2016, a Mirai variant was blamed for a DDoS attack that took down close to 1 million Deutsche Telekom DSL routers. In January, researchers identified a variant called Satori (Mirai Okiru) The available Mirai source code has also given new life to the DDoS as a service industry, since the Mirai code isn’t easily converted into a profit-making machine without some previous expertise.
In October 2016, Mirai malware spread itself to IoT devices gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out distributed denial of service (DDoS) attacks. The largest of such attacks flooded DNS provider Dyn causing several well-known websites – Twitter, Spotify and Netflix – to go dark for hours.