Just in time for IoT Day, the Mirai botnet is launching attacks with a new trick up its sleeve.In February, the Mirai malware began leveraging a Windows Trojan to widen its distribution.On the heels of our paper “Weaponizing the Internet of Things,” published last week, IBM X-Force recently uncovered a new variant of the ELF Linux/Mirai malware that has a new twist: a built-in bitcoin mining component.The Mirai botnet was developed for two primary purposes: to identify and compromise Internet of Things (IoT) devices to grow the botnet, and to perform distributed denial-of-service (DDoS) attacks against predefined targets.As described in our report, several successful attacks have been launched using this botnet within the past year.The ELF Linux/Mirai malware variant was first discovered in August 2016 by white-hat security research group MalwareMustDie.This new variant of ELF Linux/Mirai malware with the bitcoin mining component has us pondering, though.We know that as we move toward becoming a cashless society, there may be more incentive to mine for or purchase bitcoins.

Attackers certainly have much to gain from having bitcoins in their pocket to facilitate their cybercriminal activities — bitcoin is the currency of choice for purchasing illegal commodities such as malware.But using IoT devices to mine for bitcoins?Almost four years ago, Krebs on Security discussed bitcoin mining bots; in that case, the compromised hosts were PCs.bitcoin metadataMining bitcoins, however, is a CPU-intensive activity.nuovo bitcoinHow many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers?bitcoin valor en pesosWouldn’t attackers have better luck compromising a bitcoin exchange company, as has been the case numerous times in the past?bitcoin 43 faucet

It’s possible they’re looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.Here, we take a look at a recent, short-lived, high-volume ELF Linux/Mirai attack campaign using the new component, bitcoin miner slave, targeting IBM X-Force-monitored clients.Read the complete X-Force Research report: The Weaponization of IoT IBM X-Force began seeing traffic containing links to ELF 64-bit binary files beginning in late March 2017.litecoin welchen poolAs shown in Figure 1, the activity was barely a blip on the screen on March 20, but then reached a 50 percent increase in volume just four days later.bitcoin eat hatThe activity subsided eight days after it began.bitcoin capital gains tax usFigure 1: ELF Mirai attack activity (Source: IBM X-Force-monitored client data) What we found when we dissected the Mirai sample was pretty much the same Mirai functionality ported over from the Windows version with a focus on attacking Linux machines running BusyBox.bitcoin nyse index

This software provides several stripped-down Unix tools in a single executable file and digital video recording (DVR) servers.BusyBox utilizes Telnet, which is targeted with a dictionary attack brute-force tool contained in the Mirai malware.The DVR servers are targeted because many of them use default Telnet credentials.bitcoin price graph 2014The Telnet protocol is an attacker’s gateway to compromising IoT devices.Aside from DVRs, many embedded system applications in IoT devices, such as routers, VoIP phones, televisions, industrial control systems and others, leverage Telnet’s remote-access capabilities.Mirai bots can perform a few different types of attacks.Besides the usual capabilities of multiple flooding tools using TCP, UDP and HTTP protocols, several other capabilities were built into WL4-A0ACM1, the aforementioned Windows version, including SQL injection and brute-force attack tools.The new ELF Linux/Mirai malware variant we discovered included another add-on: a bitcoin miner slave.

This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all.Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium.We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility.It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.We found the Mirai dropper in a web console similar to the example in Figure 2 below.We detected this site in a series of high-volume command injection attacks.The site was acting as a malware package archive repository and contained a real-time counter of victims it had infected.This file package also included a Dofloo backdoor and a Linux shell.Figure 2: A screen capture of the Mirai dropper web console (Source: IBM X-Force) Addressing the IoT botnet phenomenon is going to require all stakeholders to take steps to secure these devices.

This includes home and enterprise users as well as manufacturers.Fortunately, our report offers recommendations for all three groups.We highly encourage readers to review the report for guidelines on how to prevent IoT devices from becoming part of a botnet.If the weaponization of IoT devices into DDoS botnets is the latest malicious trend, then turning them into bitcoin miners may be just around the corner.Read the complete X-Force Research report: The Weaponization of IoTPosted on April 24, 2017 Azure Security Center helps customers deal with myriads of threats using advanced analytics backed by global threat intelligence.In addition, a team of security researchers often work directly with customers to gain insight into security incidents affecting Microsoft Azure customers, with the goal of constantly improving Security Center detection and alerting capabilities.In the previous blog post "How Azure Security Center helps reveal a Cyberattack", security researchers detailed the stages of one real-world attack campaign that began with a brute force attack detected by Security Center and the steps taken to investigate and remediate the attack.

In this post, we’ll focus on an Azure Security Center detection that led researchers to discover a ring of mining activity, which made use of a well-known bitcoin mining algorithm named Cryptonight.Before we get into the details, let’s quickly explain some terms that you’ll see throughout this blog.“Bitcoin Miners” are a special class of software that use mining algorithms to generate or “mine” bitcoins, which are a form of digital currency.Mining software is often flagged as malicious because it hijacks system hardware resources like the Central Processing Unit (CPU) or Graphics Processing Unit (GPU) as well as network bandwidth of an affected host.Cryptonight is one such mining algorithm which relies specifically on the host’s CPU.In our investigations, we’ve seen bitcoin miners installed through a variety of techniques including malicious downloads, emails with malicious links, attachments downloaded by already-installed malware, peer to peer file sharing networks, and through cracked installers/bundlers.

Our initial investigation started when Azure Security Center detected suspicious process execution and created an alert like the one below.The alert provided details such as date and time of the detected activity, affected resources, subscription information, and included a link to a detailed report about hacker tools like the one detected in this case.We began a deeper investigation, which revealed the initial compromise was through a suspicious download that got detected as “HackTool: Win32/Keygen".We suspect one of the administrators on the box was trying to download tools that are usually used to patch or "crack" some software keys.Malware is frequently installed along with these tools allowing attackers a backdoor and access to the box.Two days later we observed the same activity with different file names.In the screenshot below, sst.bat has now replaced kit.bat and mstdc.exe has replaced servies.exe .This same cycle of batch file and process execution was observed periodically.These .bat scripts appear to be used for making connections to the crypto net pool (XCN or Shark coin) and launched by a scheduled task that restarts these connections approximately every hour.

Additional Observation: The downloaded executables used for connecting to the bitcoin service and generating the bitcoins are renamed from the original, 32.exe or 64.exe, to “mstdc.exe” and “servies.exe” respectively.These executable’s naming schemes are based on an old technique used by attackers trying to hide malicious binaries in plain sight.The technique attempts to make files look like legitimate benign-sounding Windows filenames.As we did our timeline log analysis, we noted other activity including wscript.exe using the “VBScript.Encode” to execute ‘test.zip’.On extraction, it revealed ‘iissstt.dat’ file that was communicating with an IP address in Korea.The ‘mofcomp.exe’ command appears to be registering the file iisstt.dat with WMI.The mofcomp.exe compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.The initial compromise was the result of malware installation through cracked installers/bundlers which resulted in complete compromise of the machine.

With that, our recommendation was first to rebuild the machine if possible.However, with the understanding that this sometimes cannot be done immediately, we recommend implementing the following remediation steps: 1.Password Policies: Reset passwords for all users of the affected host and ensure password policies meet best practices.Defender Scan: Run a full antimalware scan using Microsoft Antimalware or another solution, which can flag potential malware.Software Update Consideration: Ensure the OS and applications are being kept up to date.Azure Security Center can help you identify virtual machines that are missing critical and security OS updates.OS Vulnerabilities & Version: Align your OS configurations with the recommended rules for the most hardened version of the OS.For example, do not allow passwords to be saved.Update the operating system (OS) version for your Cloud Service to the most recent version available for your OS family.Azure Security Center can help you identify OS configurations that do not align with these recommendations as well as Cloud Services running outdates OS version.