Keeping a Hidden Identity: Mirai C&Cs in Tor Network
We found new samples of Mirai targeting IP cameras and DVRs with exposed ports and default credentials. Like its predecessors, it allows attackers remote access and the use of infected devices to form a botnet for DDoS attacks.
With its notoriety for being one of the most active internet of things (IoT) malware families, Mirai is one malware family system administrators consistently keep their eye on to make sure systems and devices are protected. Despite all the attention that the malware has received, it seems cybercriminals are still continually developing and using this malware.
Barely a month since discovering a new Miori variant, we found another new Mirai sample through our research. Like previous Mirai variants, it allows attackers remote access and control via exposed ports and default credentials in IoT devices such as IP cameras and DVRs, and allows attackers to use infected devices for distributed denial of service (DDoS) attacks via various methods such as User Datagram Protocol (UDP) flood attack. Compared to previous variants, however, we found this sample distinct because the cybercriminals placed the command and control (C&C) server in the Tor network for anonymity. This may be a developing trend among IoT malware developers, given that malicious actors’ C&C servers in the surface web can be reported and taken down — and it's one trend that cybersecurity researchers, enterprises, and users alike may have to start defending against.
Socks5 Protocol and Configuration
While Mirai variants would typically have one to four C&C servers, there were 30 hard-coded IP addresses in the sample. We looked at the communication between it and servers in a closed sandboxed environment. Executing the sample we had, it sent a specific sequence of “05 01 00”, a socks5 protocol initial handshake message. Next we sent the message to the servers and got the socks5 response “05 00” from the majority of the addresses, confirming that they were socks proxies to the Tor network. This was also checked with a Shodan scan as search results showed the socks proxies running on the servers.
Figure 1. A sample of a Shodan scan search result showing socks proxies.
Further analysis revealed the malware selecting a random server from a list as a proxy, beginning the connection with socks5 and queries it to relay packets to a C&C server with the address nd3rwzslqhxibkl7[.]onion:1356 on Tor. If it fails to establish a relay connection, it tries the process with another proxy server. Connecting to the C&C with a Tor proxy in a testing environment, we confirmed this as it returned a login prompt for the attacker, exactly the same prompt as other C&C servers have returned with previous Mirai variants.
Also similar to other Mirai variants, the configuration values were encrypted by XOR with 0x22 (34) and embedded in its binary. When decrypted, we also found an interesting string “LONGNOSE: applet not found”, which can be used to identify this variant’s name.
Infection, Propagation and DDoS command
The sample we had scans for random IP address with TCP ports 9527 and 34567, which are possibly specific to exposed IP cameras and DVRs for remote access and control. Its configuration also includes possible default credentials that can be used to infect other hosts.
Figure 2. Command sent by the sample to port 9527
Figure 3. Information sent by the sample to port 34567
Analyzing the communication protocol that the sample used, we found it typical of previous Mirai variants’ protocols except for the use of the socks5 connection. We also identified a byte sequence indicative of a DDoS command sent from the C&C server via a UDP flood attack on a specific IP address.
Figure 4. Decrypted version of a possible DDoS command from a C&C server
Related samples
Looking for related samples and information elsewhere for comparison, other open sources such as VirusTotal yielded a report of the same hash value from the same URL source, which was an open directory also hosting other samples for other device architectures. Other details from the report also showed another distribution server.
Figure 5. Open directory on the distribution server
Conclusion
We find this particular sample interesting for the attackers’ decision to place the C&C server in Tor, likely to evade tracking of its IP address and avoiding being shut down when reported to domain hosts. This is reminiscent of a reported malware in 2017 called BrickerBot, a malware variant hosted in Tor having Mirai-like techniques. However, BrickerBot was one of the first instances of phlashing or permanent denial of service (PDoS) in an ironic effort to prevent IoT devices from being infected by Mirai, subsequently discontinued after damaging more than 10 million devices.
While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable. Likewise, the server remains running despite discovery, network traffic can masquerade as legitimate and remains encrypted, and it may not necessarily be blacklisted due to other possible legitimate uses for Tor.
The presence of another distribution server and other samples designed for other device architectures possibly implies that these malicious actors intend to apply this operation in a larger scale. However, detection systems with signature and behavior-based mechanisms can still detect and block these malware intrusions.
Users and enterprises are recommended to update their network systems and devices with the latest patches, and to change default credentials with complex passwords and apply multiple authentication systems to prevent unauthorized access. Finally, avoid connecting to insecure networks outside trusted perimeters to limit chances of intrusion via open and publicly available networks.
Trend Micro solutions
Trend Micro Home Network Security provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, Trend Micro Smart Home Network offers intelligent quality of service (iQoS), parental controls, network security, and more.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect these kinds of attacks even without engine or pattern updates. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Indicators of Compromise
| SHA256 | File name | Detection |
| bc56b7aa78b71a3d0bcf5fa14eeeb87eea42b52988b13bee8d3a27baa3370a3a | x86 | Backdoor.Linux.MIRAI.VWIRA |
| eeae01f4717f4d6248ee9e9e6d53d841c648e35259716dfe74cac630e15f1811 | arm, t.arm | |
| 4d46ad4602b486ff7146a14165948f46a70bf41323e6bb619cc2ff08ad02f2ee | mips, t.mips | |
| 7d2f5f5efb4aa8e5dca543734829ac4eb9d89885d7e60aed6af4d35508ded21c | arm7, t.arm7 |
URLs
- nd3rwzslqhxibkl7[.]onion:1356 - C&C server
- hxxp://185[.]100[.]84[.]187/t/ - Disease vector
- hxxp://89[.]248[.]174[.]198/main/ - Disease vector