Wicked botnet: Another Mirai variant targets connected devices

Fortinet researchers uncovered a new variant of the Mirai malware, known as the Wicked botnet, which targets vulnerable IoT devices and uses multiple existing exploits.

Researchers have uncovered another variant of the Mirai botnet, but this one is different from earlier spinoffs.

The Wicked botnet -- so called by its author, who uses the same pseudonym -- uses at least three exploits to target unpatched IoT devices. Rommel Joven and Kenny Yang, researchers for FortiGuard Labs at Fortinet, based in Sunnyvale, Calif., discovered the Wicked botnet and analyzed its similarities to other known botnets.

"The original Mirai used traditional brute-force attempts to gain access to IoT devices," Joven and Yang explained in their analysis. "The Wicked bot, on the other hand, uses known and available exploits, with many of them already being quite old."

The Wicked botnet scans ports 8080, 8443, 80 and 81, the researchers said, and it will try to exploit the device once a connection is established. The exploits used depend on which port the botnet connects to for specific devices, the FortiGuard team said.

The targeted devices include flawed Netgear routers -- some of which were also used by the Reaper botnet -- and closed-circuit video cameras that have a remote code execution flaw. One exploit doesn't target a device, but instead targets compromised web servers with malicious invoker shells that are already installed.

Joven and Yang also noted that the Wicked botnet is connected to previous variants of Mirai, including Owari, Sora and Omni.

"After a successful exploit, this bot then downloads its payload from a malicious website," they explained in the blog post. "This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot. However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot."

The Wicked botnet's connection to Owari, Sora and Omni is how the FortiGuard team connected the dots to find the author of the botnets. In 2017, NewSky Security published an interview with the author of the Sora, Owari and Omni bots, who goes by the pseudonym Wicked, which led FortiGuard to make the connection to the new botnet.

"Based on the author's statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari and Omni are one and the same," Joven and Yang said. "This also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author's succeeding projects."

The Mirai botnet and its variants have affected hundreds of thousands of internet-connected devices since its first appearance in 2016 and the subsequent leak of its source code. Mirai and its variants have amassed botnets with thousands of poorly secured connected devices, which have been used to launch potent distributed denial-of-service attacks against enterprises.

Dig Deeper on Threats and vulnerabilities