Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining

Mirai botnet that made headlines in 2016 for taking out infrastructure through
large-scale network attacks has become a reference point in the security
industry for the damage that large IoT botnets can inflict. Since its source
code was published and made available to anyone interested in building their
own botnet, many Mirai variants have shown up, each packing unique features.
While most are used for disruptive purposes, others seem to use the collective
power of compromised devices to mine for cryptocurrency.

researchers tracked the development of a Mirai-inspired botnet, dubbed
LiquorBot, which seems to be actively in development and has recently
incorporated Monero cryptocurrency mining features.

LiquorBot is written in Go (also known as Golang), which offers some
programming advantages over traditional C-style code, such as memory safety,
garbage collection, structural typing, and even CSP-style concurrency.

appears to use the same command and control server as a Mirai-related variant,
and they have even featured together in dropper scripts, meaning attackers used
both LiquorBot and the Mirai variant in various campaigns.

LiquorBot IoT botnet was identified using Bitdefender’s deceptive technologies,
when the first LiquorBot samples infected our honeypots in May 2019. Since
then, Bitdefender security researchers tracked the development of the main
package, as well as all its other versions associated with feature updates and

Key Findings

  • Re-implementation
    of Mirai written in Go
  • Cross-compiled
    to several architectures (ARM, ARM64, x86, x64, MIPS)
  • Incorporates cryptocurrency-mining
  • Propagation
    through SSH brute-forcing and exploitation of unpatched vulnerabilities in
    select router models


The following table (Fig. 1) follows the evolution of the botnet, listing SHA-1 hashes, the development path of the main package and the date they were first seen by our honeypots telemetry. Though each version has samples…

Source Link