Yet another new Mirai variant has reared its head, aimed at turning internet of things (IoT) devices into proxy servers.
The FortiGuard Labs team encountered the botnet, which it dubbed OMG. The variant adds and removes some configurations that can be found in the original Mirai code – but it also keeps Mirai’s original modules, including the attack, killer and scanner modules.
“This means that it can also do what the original Mirai could, i.e. kill processes (related to telnet, ssh, http by checking open ports and other processes related to other bots), telnet brute-force login to spread and DOS attack,” FortiGuard researchers said in an analysis.
However, the proxy function is OMG’s main purpose. Cybercriminals use proxies to add anonymity when carrying out hacking and other malicious activities. FortiGuard pointed out in an analysis that one way to earn money with proxy servers is to sell access to them to other cybercriminals, which is what OMG was built for.
For the proxy to work properly, OMG’s authors added a firewall rule to allow traffic on the generated ports; two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table. After enabling the firewall rule to allow traffic to pass through the randomly generated HTTP and SOCKS ports, it sets up 3proxy with predefined configuration embedded in its code, FortiGuard explained.
Though this is the first time a modified Mirai variant has been spotted to be capable of distributed denial-of-service (DDoS) attacks, as well as setting up proxy servers on vulnerable IoT devices, it’s unlikely that OMG will be the last elaboration on the Mirai theme.
“Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape,” researchers said. “These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of exploits and the targeting of more architectures. We have also observed that the motivation for many of the modifications to Mirai is to earn more money. Mirai was originally designed for DDoS attack, but later modifications were used to target vulnerable ETH mining rigs to mine cryptocurrency.”