Researchers discover a new strain of the notorious Mirai botnet which goes bitcoin hunting
IBM X-Force has discovered a first-of-its-kind variant of the ELF Linux/Mirai malware that has a built-in component designed to mine bitcoins.
The variant was first discovered without the bitcoin mining capability in August 2016, but traffic from the new strain containing links to ELF 64-bit binary files started towards the end of March 2017, increased by 50 percent in four days and disappeared another four days later.
According to Dave McMillen, senior threat researcher at IBM managed security services, this new Mirai strain was similar to another recently-created version that leverages a Windows Trojan, but was focused on attacking Linux machines running BusyBox, a software that describes itself as ‘the swiss army knife of embedded Linux.’
The Windows version contained some extra capabilities from normal Mirai botnets such as SQL injection and brute-force attack tools, but the new ELF Linux/Mirai malware variant boasts an extra add-on in the form of a bitcoin miner slave.
“This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all,” McMillen writes. “Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium.
“We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.
In a blog post, McMillen also highlighted the benefits of focusing on bitcoin mining due to society’s growing preference of cashless payments, especially seeing as cyber criminal activity is often funded by the cryptocurrency.
However, he questioned the economic validity of such a strategy: “Almost four years ago, Krebs on Security discussed bitcoin mining bots; in that case, the compromised hosts were PCs. Mining bitcoins, however, is a CPU-intensive activity,” he says.
“How many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers? Wouldn’t attackers have better luck compromising a bitcoin exchange company, as has been the case numerous times in the past? It’s possible they’re looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.”
Reign of terror
Although the potential impact of this new Mirai strain is unclear, the botnet – which compromises IoT devices and launches distributed denial-of-service (DDoS) attacks against predefined targets – has been busy plaguing businesses and devices for some time.
It first gained notoriety after being used in the high-profile attack on DNS hosting provider Dyn which took down the likes of Netflix, Twitter and Reddit and has since targeted Talk Talk and the Post Office in the UK.
Most recently, it was responsible for a massive 54-hour attack on a US college which generated the highest traffic flow that security firm Imperva Incapsula had ever seen out of a Mirai botnet.