Wicked – A New Variant of Mirai Botnet Spotted

computer security breach articles

Security researcher from Fortinet have discovered a new variant of Mirai Botnet named Wicked which has added at least three new exploits comparing to the earlier one.

The Mirai botnet variants usually consist of three modules Attack, Killer, and Scanner. The original Mirai used brute force attack to gain access to IoT devices, but in Wicked it uses known and available exploits.

The Wicked bot would scan port 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the victim’s device.

Once the connection is established the bot will attempt to exploit the target device and download the payload.

Below are the list of target ports and devices by Wicked Botnet:

Port 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet)

Port 81: CCTV-DVR Remote Code Execution

Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)

Port 80: Invoker shell in compromised web servers.

When analyzed researchers discovered the presence of string SoraLOADER which suggested Wicked may be attempting to distribute the Sora botnet but later they discovered botnet connected to a  malicious website to download the Owari Mirai Botnet.

“After a successful exploit, this bot then downloads its payload from a malicious website, in this case, hxxp://{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot. However, at the time of analysis, the Owari bot samples could no longer be found in the website directory.”

Researchers confirmed that the website has previously distributed Owari Botnet although they couldn’t find any samples. It was discovered the samples were replaced by another Botnet named Omni.

Analysing the Omni samples in the directory, it was discovered they were delivered using the GPON vulnerability (CVE-2018-10561). While Searching for the connection between the Wicked, Sora, Owari, and Omni botnets, researchers found an interview of a security researcher who is believed to be the author Sora and Owari botnet variants.  The author who goes by online handle named “Wicked” said that he abandoned Sora Botnet and will continue work on Owari.

According to finding and analysis, Fortinet researchers believe the author has abandoned both the Sora and Owari botnet and is currently working on the Omni botnet.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects.” said in the post published by Fortinet Researchers.

The Mirai Botnet was first spotted in 2016 which caused a Massive DDoS attack at that time and in October 2016 the source code of Mirai botnet was leaked online. From there onwards various variants of Mirai botnet was observed in the wild such as Satori, Okiru, OMG.


Please rate this content