New Mirai botnet variant uses modified encryption and new attack method to target new processors

• The newly discovered Mirai sample targets Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.
• Researchers believe that the new Mirai variant has been around since November 2018.

A new variant of Mirai botnet that targets processors has been discovered recently. The new sample has been evolved to include a modified version of XOR encryption algorithm and a type of DDoS attack method.

What’s the matter - Unit 42 researchers have found that the newly discovered Mirai sample has been compiled to target Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.

“This is not the first time Mirai has been expanded for new processor architectures, samples targeting ARC CPUs were discovered in January 2018. Yet this development shows that Mirai developers continue to actively innovate, targeting a growing array of IoT devices. The malware gained notoriety in 2016 for its use in massive denial of service attacks on Dyn and the website of security blogger Brian Krebs,” the researchers explained.

What’s new - The new sample contains the following new features:

• Encryption algorithm: It uses eleven 8-byte keys, a modified version of the standard byte-wise XOR used in the original Mirai source code.
• New Attack Method: It includes the SYN flood attack, which is a type of DDoS attack.

Given the type of features included in the new sample, researchers believe that the new Mirai variant has been around since November 2018.

The bottom line - Given that the Mirai source code is open source, it is highly likely that attackers can create a large number of variants to infect a wide range of embedded devices.