Mirai is an IoT botnet (or thingbot) that F5 has discussed since 2016. It infamously took down large sections of the Internet in late 2016 and has remained active ever since. Its source code was released online in September 2016, allowing unskilled attackers to create a malicious botnet with relative ease. Mirai continues to target IoT devices using the same tactics as before to attack and harness the collective power of millions of unprotected devices to launch DDoS attacks. It does not usually spread through traditional phishing attempts but acts as a self-propagating worm that searches for and attacks vulnerable servers. Although small changes have been made to this malware, malicious actors now appear to have taken advantage of public interest in the coronavirus (COVID-19) by naming their latest variant file covid. This sample, which is detailed below, is publicly available.
This name change continues a trend in which malware or malicious tactics, techniques, and procedures (TTPs) are renamed or “reskinned” but leave the core functionality basically the same. For this reason, it’s just as important now as it was before the pandemic for enterprises and individuals to remain vigilant in protecting their systems.
About the COVID Variant
After F5 researchers detected this new Mirai variant, it appears that the authors did not remake the malware or create new exploits. This sample was spotted with two different hashes that multiple antivirus engines detected and identified. Both samples are named covid and have different file extensions. For a table of the indicators of compromise (IoCs) for this sample, see the COVID-19 Fails to Slow Down Hackers section of this article.
Threat monitoring tools noted that the IP address hosting this malware is a Hostwinds domain. It is currently still active and the Whois information is hidden. Those seeking to perform additional analysis can use the following path to find the sample:
As with other Mirai samples, this variant’s inner content is XOR-encoded. We found that it uses 0x54, the same encoding key as many other Mirai samples. This led us to assume that, even though this is a fresh sample in the wild, it is not unique—it may have been named covid only because that’s trending right now.
In this sample, we found a range of targets that we’ve seen before. One is TeamSpeak, a voice communications app that gamers commonly use (see Figure 2). The other target is a Huawei router module (see Figure 3). These targets appear to be consistent with previous Mirai targets we’ve written about; TeamSpeak has been a target since our October 2018 Hunt for IoT article.
The following figure shows the targeting information from the TeamSpeak sample: