New Miori Variant Uses Unique Protocol to Communicate with C&C

By: Makoto Shimamura, Cyber Threat Research Team

We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses a text-based protocol to communicate with its C&C.

Miori’s unique protocol

Typical Mirai variants communicate with their respective C&Cs using a binary-based protocol. In that scenario, the C&C server would display a login prompt to get into the console that the attacker uses. The C&C server assumes that anyone who connects to the C&C server is the attacker trying to access the console, so that the login prompt asking for the username and password is displayed, as seen in Figure 1.

Figure 1. Example of a Mirai C&C login prompt

This is not the case for this new Miori variant. When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the cybercriminals behind the variant are wary of security researchers’ usual methods.

Figure 2. Message displayed after attempting to connect to the C&C console

This prompted us to try to see where the change was made in this campaign. We analyzed the protocol used by the malware, and discovered that it is text-based. Its C&C should receive a specific string before allowing anyone access to its console, unlike older Mirai variants. If that string is not received, then it displays the message shown above.

We also discovered that it uses a protocol (illustrated in Figure 3) for receiving encrypted commands, which is not present in older variants. As it waits for these commands, it simultaneously scans for vulnerable telnets hosts to propagate.

Figure 3. Protocol of the Miori variant

Figure 4. Snapshot of the malicious code used to communicate with the C&C server

This malware variant used a simple substitution method for its encryption, with the correspondence table hard-coded in the malware code for decryption.

Figure 5. Example of correspondence table of the substitution cipher found in the code

Further analysis allowed us to find encrypted attack commands. Similar strings, as seen in Figure 6, likely indicate the attack command sent to the malware variant through the C&C server. In the figure, the strings show a command for executing a UDP Flood attack. We could assume that an attacker can use this command to specify destination IP, port, time, and packet size.

Figure 6. Sample attack command string found during the analysis

Aside from the sample command, TCP Flood attack, attack termination, and process termination commands were also found.

Similarity with other Mirai variants

One similarity it does share with other Mirai variants is that XOR was used to encrypt a part of its configuration data and the list of telnet/SSH credentials used for the malware’s brute-force capabilities.

However, the configuration data was divided and stored separately, some of which used decoding methods that had not been used in older Mirai variants.

We also couldn’t find the string “: applet not found” in the configuration data, which is one of the identifiers of a Mirai variant. This could indicate that the cybercriminals behind this campaign are consciously removing the usual indicators of a Mirai attack to confuse security researchers. This string was used to verify a successful infection in older variants, but in this variant, the success is verified by a different configuration data, as illustrated by the figure below.

Figure 7. Echo command and its output used to verify infection success


As mentioned earlier, this Miori variant can scan for vulnerable telnet hosts, and send their IP address and account information to the C&C server. Like earlier Mirai variants, this malware sends and executes a malicious script in a vulnerable host.

We were able to identify the malicious script used for spreading this malware in the architecture of the execution host. Arguments can be specified at runtime, so it would be possible to control the attack enough to be different campaigns through the input of different arguments at malware runtime.

Figure 8. Snapshot of the malicious script that spreads the malware in the vulnerable telnet host

Source code sale site

Examining the strings used in this sample also revealed a message containing the URL of the site that sells the malware’s source code. Checking the site showed that the source code is being sold for US$110.

Figure 9. The source code sale site

The site appears to be built using the legitimate e-commerce service called Selly. However, it is may also be a fraudulent page that won’t deliver the source code after a buyer pays the given price.

Conclusion and security recommendations

The Mirai malware family can be considered the original IoT malware. Its effectivity motivates attackers to develop different variants. In this case, however, significant changes in its protocol and storage method of configuration data could indicate that this Miori variant is not just a new Mirai variant. It could be a new malware trying to appear as a Mirai variant to elude detection and to make its analysis difficult.

Regardless of the reason behind its design, the malware’s routine is generally similar to typical Mirai variants: infect vulnerable IoT devices and use them as platforms for launching a DDoS attack. These differences also emphasize the necessity of keeping up with evolving IoT malware in the future.

Users can reduce the impact of such schemes by applying the right patches and updates for their deployed devices. As this malware acts like a typical Mirai variant, making sure to change default credentials with tougher security in mind can reduce the possibility of unauthorized access and success of brute force attacks.  Locating devices in secure areas can also prevent security issues stemming from physical tampering.

Trend Micro Solutions

Trend Micro Smart Home Network provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more.

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect these kinds of attacks even without engine or pattern updates. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

SHA256FilenameDetection name
185[.]244[.]39[.]74:10019C&C server

The post New Miori Variant Uses Unique Protocol to Communicate with C&C appeared first on .