A new version of the Miori botnet added protection to the login panel of its command and control server, hanging a “not welcome” message for connections likely coming from a security researcher.
Miori malware is an offshoot of Mirai and has been referenced since at least late May last year. It gained visibility towards the end of 2018 when its distribution leveraged a ThinkPHP remote code execution vulnerability that had exploit code publicly available.
Researchers not welcome
Until the latest variant, Miori’s communication with the command and control (C2) server relied on a binary-based protocol with a login prompt available to anyone that knew the address.
The operators switched to a text-based protocol and implemented protection that terminated the connection unless the connection to the C2 delivered a particular string.
It appears that cybercriminals have grown familiar with the way malware analysts do their research and added a message for them when they connected to the C2 via the normal methods.
The new Miori variant has support for encrypted commands and is allowed to connect to the command server only after sending the specific string.
Makoto Shimamura of Trend Micro says that while it awaits instructions, the malware continues to search for vulnerable hosts that can be compromised.
Miori targets IoT devices that have SSH and Telnet services exposed to the web and are secured with poor access credentials. In other words, it spreads as hundreds of other Mirai-based botnets.
Decrypting the commands from the attacker is nothing complicated, as the malware relies on a substitution cipher and the correspondence table is built in.
The botnet’s purpose remains distributed denial-of-service (DDoS) attacks as Shimamura discovered a command for launching both TCP and UDP flood attacks.
Additional commands found in the malware are for terminating the attack and for killing its process.
Source code for sale
Whoever is behind this new variant of Miori appears to offer the source code to anyone willing part with $110. This may be part of a future plan from the developer as the strings for the website address were found inside the malware sample.
“The site appears to be built using the legitimate e-commerce service called Selly. However, it is may also be a fraudulent page that won’t deliver the source code after a buyer pays the given price.”