The Mirai IoT botnet has been used to conduct some of the largest distributed denial of service (DDoS) attacks ever seen. Since the release of the source code in October 2016, there have been several variants of the botnet developed. Now a new variant has been detected, which has been named Wicked, due to some of the strings in the source code.
The new variant was identified by security researchers at Fortinet, who report that the new malware variant incorporates three new exploits which are used to distribute the malware. The original Mirai botnet relied on brute force attacks to gain access to vulnerable IoT devices. While the exploits are not new, many IoT devices are not updated regularly and remain vulnerable to old exploits.
The Wicked botnet scans ports 8080, 8443, 80, and 81 and initiates a raw socket SYN connection on the targeted device. Once the connection is made, attempts are made to exploit vulnerabilities to download the malicious payload by writing exploit strings to the socket. Different exploits are used depending on the port where the connection was established.
On port 8080, Netgear DGN1000 and DGN2200 v1 router exploits are used, a CCTV-DVR remote code execution exploit is used on port 81, and Netgear R7000 and R6400 command injection exploits are used on port 8443. An invoker shell exploit in compromised web servers is used on port 80, leveraging malicious web shells already installed on those web servers.
The researchers initially thought the new bot was being used as a downloader to install a different botnet called Sora due to the presence of the string SoraLOADER in the source code. However, further investigation revealed the bot connects to a malicious domain to download the Owari bot – a variant of Mirai.
While attempts appear to be made to download Owari, no samples of the Owari bot could be located in the website directory, instead they found samples of a different bot named Omni.
The researchers found an interview between a threat actor operating under the name Wicked, who has previously been involved with two botnets: Sora and Owari. Wicked claimed in that interview that Sora has been retired, although work was continuing on Owari.
Further research suggests that both Sora and Owari have now been abandoned, and now the current project is solely Omni. The Fortinet researchers believe Wicked is responsible for developing all four botnets: Wicked, Owari, Sora, and Omni.