Criminals have added code to the Mirai malware that targets IoT devices to mine Bitcoins.
IT security researchers have discovered a module added to the Mirai malware that forces infected IoT devices to mine bitcoins.
According to a blog post by the IBM X-Force team, a threat intelligence research group at the company, the module was active for around a week at the end of March, leading researchers to speculate that the whole exercise was an experiment. It was part of an archive of files containing a Mirai dropper, a bitcoin miners slave, a Linux shell and Dofloo backdoor.
The Bitcoin mining variant was designed to infect 64-bit BusyBox-based IoT devices. This software provides several stripped-down Unix tools in a single executable file and is often used, for example, in digital video recording (DVR) servers. BusyBox uses Telnet, a network protocol for remote access, which is targeted with a dictionary attack brute-force tool contained in the Mirai malware. DVR servers are targeted because many use default Telnet credentials.
A problem of power?
But according to Dave McMillen, senior threat researcher at IBM Managed Security Services, a lone IoT device may not be that effective at mining bitcoins in any case. Mining bitcoins, he points out, is a CPU-intensive activity. That makes it highly likely, he says, that a bitcoin miner running on a simple IoT device “lacks the power to create many bitcoins, if any at all.”
But, given Mirai’s power to infect thousands of machines at a time, “there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium,” he continues.
“We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” he said.
Botnet Bitcoin bonanza?
McMillen writes that addressing the IoT botnet phenomenon is going to require all stakeholders to take steps to secure these devices: “This includes home and enterprise users as well as manufacturers.”
Michael Salat, threat intelligence director at IT security company Avast, told Internet of Business that cyber-criminals are constantly trying to stay one step ahead of the good guys.
“This latest instance of Mirai is just the newest evolution of cyber-criminals experimenting with how they can compromise IoT devices for financial gain,” he said.
“Due to [their] anonymity, cryptocurrencies such as Bitcoin can be the lifeblood of cyber-crime activity, so it’s concerning to see that some cyber-criminals may have found a way to fund their activities by mining our connected devices.”