Attackers are still continually developing and using versions of the Mirai malware.
“Barely a month since discovering a new Miori variant, we found another new Mirai sample through our research,” said Makoto Shimamura of the Cyber Threat Research Team at Trend Micro. “Like previous Mirai variants, it allows attackers remote access and control via exposed ports and default credentials in IoT devices such as IP cameras and DVRs, and allows attackers to use infected devices for distributed denial of service (DDoS) attacks via various methods such as User Datagram Protocol (UDP) flood attack.
“Compared to previous variants, however, we found this sample distinct because the cybercriminals placed the command and control (C&C) server in the Tor network for anonymity. This may be a developing trend among IoT malware developers, given that malicious actors’ C&C servers in the surface web can be reported and taken down — and it’s one trend that cybersecurity researchers, enterprises, and users alike may have to start defending against.”
While Mirai variants would typically have one to four C&C servers, there were 30 hard-coded IP addresses in the sample, Shimamura said. Executing the sample we had, it sent a specific sequence of “05 01 00,” a socks5 protocol initial handshake message. Next we sent the message to the servers and got the socks5 response “05 00” from the majority of the addresses, confirming that they were socks proxies to the Tor network. This was also checked with a Shodan scan where results showed socks proxies running on the servers.
On top of that, Shimamura found malware selecting a random server from a list as a proxy, beginning the connection with socks5 and queries it to relay packets to a C&C server with the address nd3rwzslqhxibkl7[.]onion:1356 on Tor. If it fails to establish a relay connection, it tries the process with another proxy server.
“Connecting to the C&C with a Tor proxy in a testing environment, we confirmed this as it returned a login prompt for the attacker, exactly the same prompt as other C&C servers have returned with previous Mirai variants,” Shimamura said in a post.
Also similar to other Mirai variants, the configuration values ended up encrypted by XOR with 0x22 (34) and embedded in its binary, the researcher said. When decrypted, there was an interesting string “LONGNOSE: applet not found”, which can be used to identify this variant’s name.
The attackers’ decision to place the C&C server in Tor is interesting in trying to evade tracking of its IP address and avoiding being shut down when reported to domain hosts.
While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable. Likewise, the server remains running despite discovery, network traffic can masquerade as legitimate and remains encrypted, and it may not necessarily be blacklisted due to other possible legitimate uses for Tor.
“The presence of another distribution server and other samples designed for other device architectures possibly implies that these malicious actors intend to apply this operation in a larger scale,” Shimamura said. “However, detection systems with signature and behavior-based mechanisms can still detect and block these malware intrusions.”
In terms of defense, in the end, it all comes down to staying on top of your game. Users and enterprises should update their network systems and devices with the latest patches if they can, and to change default credentials with complex passwords and apply multiple authentication systems to prevent unauthorized access, Shimamura said. Also, they need to avoid connecting to insecure networks outside trusted perimeters to limit chances of intrusion via open and publicly available networks.