A new variant of the Mirai botnet malware has been found in the wild. Security researchers and the tech savvy may remember the original Mirai botnet which was discovered in August of 2016. It was responsible for turning Linux based machines (mostly IP cameras and routers) into a large network of remotely controlled devices which were attributed to notable distributed denial of service (DDoS) attacks. 

The new variant called Wicked picks up where the original Mirai left off by including new DDoS methods as well as up to sixteen new exploits per single sample. Remote code execution is used to attack Netgear routers as well as CCTV and DVR devices which demonstrates the evolution of this malware.  ElevatedPrompt has collected data via our advanced DET3CT monitoring service showing the malware in action.

Wicked Mirai starts off with a scan on ports 8080, 8443, 80, and 81 over the public IP address space to locate potential vulnerable targets. Once a connection is established an exploit attempt is made. If the exploit is successful, the malicious payload is downloaded. In this case the payload is a shell script. Below we see command attempts captured by ElevatedPrompt’s threat intelligence sensors:

Time Source Dest Port Host Command
August 15th 2018, 14:17:34.934 22 vul-hst cd /root
August 15th 2018, 14:17:34.934 22 vul-hst wget
August 15th 2018, 14:17:34.934 22 vul-hst cd /mnt
August 15th 2018, 14:17:34.934 22 vul-hst cd /var/run
August 15th 2018, 14:17:34.934 22 vul-hst cd /tmp
August 15th 2018, 14:17:34.934 22 vul-hst cd /


The shell script attempts to download numerous ELF files, change the file properties to allow execution, execute the file and then force the recursive removal of the directory specified.

The ELF files have been analyzed by ElevatedPrompt’s researchers and a command and control center address discovered.

This variant has also been observed as a distribution point for other Mirai flavoured botnets including Sora, Owari and Omni. As of early September 2018 Wicked has been used to exploit the same vulnerability in Apache Struts that was responsible for the massive Equifax breach in 2017. Gafgyt, a botnet similar to  Mirai, has also been observed attacking a vulnerability in SonicWall Global Management Systems. These developments hint at a new evolution of the malware; one that may be specifically targeting enterprise organizations.

Remediation of the threat may come in the form of firmware updates from the manufacturer of the affected device. Almost every case of infection will leave affected devices still functioning normally. Users may notice the odd sluggish browsing performance which could be an indication of infection, however performance degradation alone is a poor indicator. Further investigation requires network traffic monitoring and knowledge about what kind of traffic is meant to be on your network, and what type of traffic might raise suspicion.

ElevatedPrompt provides advanced security monitoring and threat detection designed to provide our clients continuous analysis of anomalous and suspicious behaviors and patterns. Our security analysts investigate and validate potential threats, and our clients receive actionable advisories of only genuine threats. DET3CT can drastically lower the amount of false positive alerts your team receives, so they can better focus on the issues that matter.

Update: As of early September ElevatedPrompt has observed Wicked attempt to exploit vulnerabilities in Apache Struts. This is the same vulnerability responsible for the 2017 Equifax data breach.  Gafgyt, a botnet similar to Mirai, has also been observed attacking SonicWall’s Global Management System. Both of these indicate that the malware may be evolving to target enterprise organizations. Below are some indicators captured by ElevatedPrompt’s intelligence sensors: