IBM Discovers Mirai IoT Botnet Deploying Bitcoin Mining Payload

IBM Security researchers discover a variant of the Mirai IoT botnet that was doing more than just performing DDoS attacks against targets.

The Mirai internet of things (IoT) botnet, whose first attacks were largely just distributed denial-of-service (DDoS) ones, has also been active installing Bitcoin mining code on some victims, according to new research from IBM Security.

Mirai became publicly known in late 2016 thanks to a series of attacks that included one on DynDNS that slowed traffic for much of the East Coast of the U.S. It is made up of vulnerable IoT devices that have been co-opted into the botnet that are then directed to attack whatever site the Mirai command and control nodes target. IBM Security has been tracking a variant of Mirai, first discovered in August 2016 and known as the ELF Linux/Mirai variant. IBM found that the ELF Linux/Mirai botnet, rather than just attacking sites with DDoS attacks, was briefly active installing Bitcoin mining code onto botnet hosts.

New Bitcoins are created by way of a compute-intensive process known as mining. The idea behind deploying Bitcoin mining code across the ELF Linux/Mirai botnet was to create a distributed Bitcoin mining operation.

IBM X-Force security researchers found that the Bitcoin miner attack first started on March 20, hitting a peak on March 25. By March 28, the ELF Linux Mirai Bitcoin attack had subsided, with little traffic reported by IBM.

"We did not find any evidence to indicate why this attack was short-lived; however, seeing campaigns with a short life cycle such as this is common," David McMillen, senior threat researcher at IBM Security Services, told eWEEK. "We haven't seen activity since March 27. However, that isn't to say we won't see more activity in the future."

The attack was a multistage process, with Mirai first exploiting the victim system, according to McMillen. The Bitcoin miner was a second-stage infection, he said, as the Bitcoin client was not embedded into the Mirai malware itself. Rather, the Bitcoin miner was part of an archive of files that contained a Mirai dropper, a Dofloo backdoor, a Linux shell and a Bitcoin miner slave.

While Bitcoin mining can be a very CPU-intensive activity, it can be lucrative. It's not clear whether the Mirai botnet was able to actually mine any Bitcoins as part of the attack.

"We do not have any insight into whether or not Bitcoins were actually mined during these attacks," McMillen said. "The activity seen was attempted attacks against IBM X-Force monitored clients."

It's also not entirely clear who is behind the Mirai bitcoin attack. McMillen, however, said he could confirm that the majority of the attack activity came from the Asia-Pacific region and the language interface does suggest that the attack could have originated from a Chinese-language source. Also not clear is whether the attack was directed by a single group or campaign.

"There were 51 separate hosts involved in the attacks, but it is not known whether or not this is the action of one actor group or many," McMillen said. "It very well could just be an add-on, as we know it's not built into the actual Mirai code."  

Given the insecurity of many IoT devices that are connected to the public internet today, there could well be other interesting Mirai attacks discovered over time.

"We aren't currently tracking any other Mirai-based campaigns of this nature. However, we expect to see additional capabilities added to Mirai in future attacks as cyber-criminals continue to innovate and expand their malware arsenal," McMillen said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.