A new variant of the notorious Mirai botnet is infecting poorly secured IoT devices by exploiting default login credentials such as usernames and passwords. Researchers have uncovered three campaigns using the botnet in the past year, deducing they were likely perpetrated by the same attacker. 

New version of notorious Mirai botnet targets Linux systems. (Photo by BeeBright/Shutterstock)

The V3G4 spreads through machines, targeting exposed servers and network devices running Linux. Exposed IP cameras, often used for surveillance, appear to be the most prevalent targets. However, routers and even fridges have been known to be ensnared by such techniques.

Mirai botnet variant targets IoT and Linux devices

The new Mirai malware, dubbed V3G4 by researchers at security company Palo Alto Networks’ Unit 42, uses 13 vulnerabilities to crack into any IoT devices, to bend them to the will of the ‘botmaster’. Distributed Denial of Service (DDoS) attacks can then be implemented. 

Once in, the malware is downloaded onto the device allowing Remote Code Execution (RCE) and connection to a command and control server.  Both these actions allow complete control of the mechanism, along with the ability to command it to act within the botnet, providing DDoS capabilities. 

The V3G4 botnet has four XOR encryption keys instead of just the one in the original Mirai. This makes decoding or reverse-engineering the botnet far more challenging. 

While the vulnerabilities used by the V3G4 actually have less attack complexity than previously observed variants, they maintain a critical security impact that can lead to remote code execution, with disastrous consequences, explains the report.

“Once the vulnerable devices are compromised, they will be fully controlled by the attackers and become a part of the botnet. The threat actor has the capability to use those devices to conduct further attacks, such as DDoS attacks,” reads the report. 

To mitigate the risk of appliances falling foul of the V3G4 botnet, Unit 42 advises that patches and updates should be applied where possible. 

The Mirai Botnet

The original Mirai botnet is now notorious for expressing the potential of the size and power of botnets. It was originally written in 2016 to knock rival Minecraft servers offline using DDoS attacks, however, it soon spread to infect thousands of IoT devices and evolved to conduct full large-scale attacks, explains a report by the US’s Centre for Internet Security.

“Mirai’s first large-scale attack was in September 2016 against a French technology company, OVH. Mirai’s attack peaked at an unprecedented 1TBPS and is estimated to have used about 145,000 devices within the assault,” the report reads. This attack set the precedent for how dangerous botnets could become. 

In October 2016 the botnet’s source code was leaked, triggering the launch of dozens of copycats. Many of the current botnets are based on the original Mirai template. 

Read more: The Zerobot botnet and enterprise IoT: What you should know