Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

New Mirai botnet variant found operating across 3 different campaigns in 2022

Researchers have discovered a new variant of the infamous Mirai botnet, used over three campaigns in 2022, and likely operated by the same threat actor.

user icon David Hollingworth
Thu, 16 Feb 2023
New Mirai botnet variant found operating across 3 different campaigns in 2022
expand image

The new variant, labelled V3G4 by researchers at Palo Alto’s Unit 42, took advantage of a range of known vulnerabilities to spread itself between internet of things devices, and thus widen the botnet’s reach.

Unit 42 researchers believe the campaigns are the work of a single threat actor due to some very specific similarities. The same string is used in all three campaigns’ command and control domains, and the shell script downloaders are practically identical. The same XOR encryption key is used across the three campaigns, and client samples all have similar functions.

Finally, the threat actor uses similar language across the campaigns, including an easily identifiable racial slur in two of them.

============
============

The vulnerabilities, which affect devices ranging from web cameras to networking devices, all allow various remote command and code executions. The VG34 Mirai variant uses similar brute-force techniques to the original, taking advantage of default and weak username/password combinations.

Once a device is infected, the botnet clients can spread from device to device in a network. The botnet then communicates with its C2 network, allowing the distributed denial-of-service (DDoS) attacks to be launched.

Unit 42’s researchers conclude that while this new Mirai variant lacks the complexity of some of its predecessors, it is still nonetheless a threat.

“The vulnerabilities mentioned … have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution,” Unit 42 wrote in a blog post.

Mirai first came to light in 2016 after a number of high-profile DDoS attacks, particularly when it was responsible for taking down a large domain registration services provider. It was written by two apparent security specialists, who sold their services to protect companies from such attacks while actually perpetrating them themselves.

The pair have since been arrested, but before their apprehension, they released their source code into the wild, where it has since been used to create a raft of new botnet variants.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.