Dreaded IoT Malware Mirai Spotted in a Windows Trojan

Mirai, the infamous strain of IoT-based malware that triggered an unprecedented distributed denial-of-service (DDoS) attack against prominent DNS provider Dyn leading to a sweeping blackout last year, has now been spotted in a Windows Trojan.

Researchers at Russian cybersecurity firm Dr.Web have discovered a Windows-based Trojan that distributes the Mirai IoT malware. Mirai is widely known as a Linux-based malware that targets Internet-of-Things (IoT) devices, looking for insecure IoT devices such as CCTV cameras before enslaving them in a botnet. Operators behind the malware fundamentally gain the ability to launch crippling DDoS attacks.

The Linux variant of the malware is already the most widespread Trojan in the platform and the new malicious program, dubbed Trojan.Mirai.1 by researchers, connects to a command and control server to download a configuration file. This file contains a range of IP addresses through which the Trojan attempts to log in using credentials included in the same file. The sophisticated Trojan then launches a scanner to check several TCP ports simultaneously.

When authenticated, the malware runs commands specified in the configuration file specific to the compromised system.

An excerpt from the Dr. Web report reads:

If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands…[W]hile connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.

The only exception to the otherwise sweeping compromise is connections via the RDP protocol where no instructions are executed.

However, a compromised system can see the Trojan spread onto other Windows devices on the network to allow attackers hijack additional devicees.

If the compromised computer contains database management system Microsoft SQL Server installed on it, the Trojan even sets up a user with administrative privileges.

The Trojan can then launch new processes, create Windows package files, launch executable files with administrative privileges, set up auto-launch tasks or even delete files.

Toward the end of 2016, a Mirai attack impacted a near million telecom customers in Germany while a separate attack left hundreds of thousands of UK telecom users without any access to the internet.

Image credit: Pexels.