Security researchers have found a new variant of the infamous Mirai botnet that is designed to turn vulnerable IoT devices into proxy servers for various nefarious activities. According to FortiGuard Labs researchers, the botnet dubbed "OMG" is based on the OOMGA string found in some parts of the malware's source code where the name "Mirai" used to appear.
In 2016, the original Mirai botnet was used to take over hundreds of thousands of IoT devices worldwide and hit DNS provider Dyn with a massive distributed denial of service (DDoS) attack, taking down a large swathe of the internet in the process.
Since the developers behind Mirai publicly released the malware's source code later that year, numerous hackers have since tweaked it to create their own modified scripts for various illegal activities.
"Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape," the researchers wrote in a blog post. "These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of exploits and the targeting of more architectures."
Mirai OMG adds and removes some configurations that were found in the original Mirai code, but still includes the original modules including the attack, killer and scanner modules.
Therefore, OMG can perform several functions that the original Mirai could such as killing processes, brute-forcing devices with weak passwords to spread and carrying out DoS attacks.
Once the IoT device is infected, the malware attempts to establish contact with the C&C server and sends a defined data message once connected identifying the new compromised device as a new bot. The server then analyses the data message and instructs the malware to perform one of three functions - turn the device into a proxy server, launch a DDoS attack through the bot or terminate the connection.
The Fortinet researchers believe the threat actors behind this new variant are likely selling access to the compromised servers to other cybercriminals.
"Cybercriminals use proxies to add anonymity when doing various dirty work such as cyber theft, hacking into a system, etc," researchers noted. One way to earn money with proxy servers is to sell the access to these servers to other cybercriminals. This is what we think the motivation is behind this latest Mirai-based bot."
While the original Mirai was designed to carry out powerful DDoS attacks, the researchers note that many of the modifications made by hackers to the original code have been intended to illegally earn money.
"Later modifications were used to target vulnerable ETH mining rigs to mine cryptocurrency," researchers said. "This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetisation."