Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining

The
Mirai botnet that made headlines in 2016 for taking out infrastructure through
large-scale network attacks has become a reference point in the security
industry for the damage that large IoT botnets can inflict. Since its source
code was published and made available to anyone interested in building their
own botnet, many Mirai variants have shown up, each packing unique features.
While most are used for disruptive purposes, others seem to use the collective
power of compromised devices to mine for cryptocurrency.

Bitdefender
researchers tracked the development of a Mirai-inspired botnet, dubbed
LiquorBot, which seems to be actively in development and has recently
incorporated Monero cryptocurrency mining features.

Interestingly,
LiquorBot is written in Go (also known as Golang), which offers some
programming advantages over traditional C-style code, such as memory safety,
garbage collection, structural typing, and even CSP-style concurrency.

LiquorBot
appears to use the same command and control server as a Mirai-related variant,
and they have even featured together in dropper scripts, meaning attackers used
both LiquorBot and the Mirai variant in various campaigns.

The
LiquorBot IoT botnet was identified using Bitdefender’s deceptive technologies,
when the first LiquorBot samples infected our honeypots in May 2019. Since
then, Bitdefender security researchers tracked the development of the main
package, as well as all its other versions associated with feature updates and
upgrades.

Key Findings

  • Re-implementation
    of Mirai written in Go
  • Cross-compiled
    to several architectures (ARM, ARM64, x86, x64, MIPS)
  • Incorporates cryptocurrency-mining
    features
  • Propagation
    through SSH brute-forcing and exploitation of unpatched vulnerabilities in
    select router models

Timeline

The following table (Fig. 1) follows the evolution of the botnet, listing SHA-1 hashes, the development path of the main package and the date they were first seen by our honeypots telemetry. Though each version has samples…

Source Link