Security researchers have been aware of the Mirai malware for a while. It is a type of infection which turns Linux operating systems into obedient, remotely controlled zombies called “bots”. According to researchers from McAFee, 2017 were dominated by Necurs and Gamut botnets and together, they delivered 97% of all spam. However, smaller botnets are also making themselves evident. For instance, Satori botnet is a variant of Mirai, and it has exploited vulnerabilities in Huawei Routers.
IoTrooper a.k.a Reaper Bot targeted financial companies in January, 2018
Now, another variant of Mirai has been detected (dubbed as IoTroop or Reaper Bot), and it exploited a series of denial of service campaigns. To gain the best results, this bot focused on businesses from the financial sector. However, the new version is not as powerful as the original Mirai. Nevertheless, it does generate traffic volumes up to 30 Gbps. In total, the new version of Mirai used approximately 13,000 IoT devices. It is not surprising that Mirai malware remains relevant in the cyber world. In 2016, this bot had also been indicated as one of the most popular open-source malware threats.
Research group called Insikt Group from Recorded Future were the ones to reveal the activity IoTrooper commenced. According to them, this bot was extremely active in January of 2018, and experimented with DDoS attacks against a number of companies from the financial sector. Specialists indicate that the first attack was a DNS amplification attack.
First malware to exploit IoT botnet for DDoS attacks since Mirai
It is stated that the new version of Mirai has been improved to the point that it can exploit vulnerabilities in IoT devices. In the future, it is expected that this version might commence even more severe DDoS attacks. According to the research from Recorded Future, specialists have found seven IP addresses that belong to the potential controllers of this Mirai variant.
It is clear that the new botner used at least 13,000 devices (each with an unique IP address), and attacked financial companies with generated traffic volumes. Further analysis revealed that the botnet attacked MikroTik routers, which were exploited by hackers that attempted to spread the Slingshot router malware.
However, the Mirai variant also compromised other routers as well: Ubiquity, ZyXel and Cisco. In addition to this, the bot also targeted other IoT devices like TVs, DVRs and etc. According to researchers from Recorded Future, “the spread of devices from different manufacturers suggests a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed vulnerabilities in many IoT devices”.
The report from Insikt also marks the date when researchers observed an IoT botnet being used in a DDoS attack (since Mirai). Specialists also suggest that the main targets were from Russia, Brazil and Ukraine. However, the botnet managed to involved people from 139 countries into this cyber-attack.