Mirai evolves and broadens range of CPUs
New samples of the Mirai malware have been found that can target a range of embedded processors and architectures within connected devices. Researchers discovered new Mirai samples in February 2019, capable of infecting IoT devices running Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. Variants of Mirai have previously targeted CPU architectures like ARM and x86. It's not the first time Mirai's targeting of new processor architectures has expanded. Samples targeting Argonaut RISC Core (ARC) CPUs were discovered in January 2018. The development shows that Mirai developers continue to expand their targets to incorporate a growing array of IoT devices.
The addition of the processors expands the pool of potential devices which can be compromised and used for nefarious activity. Xilinx's MicroBlaze processor and Altera's Nios II processors are specifically designed for field programmable gate arrays or fpga, integrated circuits. FPGAs, which allow users to program hardware circuits to optimize a chip for a particular workload, are used for IoT application application requirements due to their low power. The samples also are capable of infecting Tensilica's Xtensa processors, which range from small low-power micro controllers up to neural network processors. It is also capable of targeting OpenRISC project based-open source CPUs, several of which are also known to run on FPGAs.
Expanding Mirai-like malware to new architectures will cause further problems when trying mitigating botnet activity. Given that the source code for Mirai has been open source for years now, this was inevitable. DDoS attacks from Mirai-like botnets continue to plague the internet with some recently reaching nearly 40 Gbps in size.
The latest version discovered were being hosted in an open directory on a single IP. It also contained exploits that were known to be used in previous versions of Mirai. That includes an exploit for a ThinkPHP remote code execution flaw, a D-Link DSL2750B OS command infection and a Netgear remote code execution glitch. The existence of these exploits in both previous versions of Mirai and newly discovered samples implies that the same hacker or group of hackers are involved.
Mirai's notoriety came when a massive DDoS attack compromised more than 300,000 IoT devices and took down major websites in 2016. Variants of Mirai continue to pop up as hackers tap into a growing rate of vulnerable Internet of Things devices. In September, researchers discovered new variants for Mirai and Gafgyt IoT botnets targeting vulnerabilities in Apache Struts and SonicWall. In March researchers found a new Mirai variant that was targeting TV and presentation systems used by enterprises.