Mirai IoT Malware Variant Abuses Linux Cross-Compilation Framework

Researchers have found a malware program based on Mirai that has binaries for many platforms and CPU architectures, allowing it to run even on Linux servers or Android phones.

The difficulty of compiling malware that works out of the box on the large variety of architectures and Linux-based systems used in the internet of things (IoT) ecosystem previously was a limiting factor for IoT malware development.

However, it seems that’s no longer the case, as attackers have discovered legitimate tools that make cross-compilation easy and automated. This behavior was observed recently with a Mirai variant analyzed by researchers from Symantec.

Last month, Dinesh Venkatesan, a principal threat analysis engineer at Symantec, came across an infected Linux server that contained multiple binaries for the same Mirai-based malware program. Those binaries had been built for different CPU architectures: x86, MIPS, MIPSel, ARMv4, ARMv5, ARMv6, ARMv7, PowerPC, Motorola 68000, ARC and SH-4.

Additional analysis revealed that the malware deployment involved running a simple shell script that downloaded and executed each of those binaries until it found one that worked on the targeted system. Once the binary ran, it created a list of random IP addresses and started probing them for devices with weak credentials or known vulnerabilities.

“While this is similar behavior to the Mirai variants we’ve seen so far, what makes it interesting is the compiled binary,” Venkatesan said in a blog post. “These variants have been created by leveraging an open-source project called Aboriginal Linux that makes the process of cross-compilation easy, effective, and practically fail-proof.”

Aboriginal Linux is an open source project that provides virtual Linux images with standard toolsets for different CPU architectures that QEMU is able to virtualize. This allows developers to easily compile their binaries for different platforms and the project even provides a cross-compiler that can run on the host system to build packages.

“It should be noted that there is nothing malicious or wrong with this open source project; the malware authors are once again leveraging legitimate tools to supplement their creations, this time with an effective cross compilation solution,” Venkatesan said.

Several years ago, Mirai was the most widespread IoT malware, having enslaved hundreds of thousands of routers, IP cameras and other devices. It was also responsible for the first ever DDoS attacks that exceeded 1Tbps. The malware’s source code has since been leaked online and served as the building block for many other IoT threats, including the one recently analyzed by Symantec.

Iranian Hackers Continue to Attack Universities Despite Indictment

Security researchers have uncovered a new phishing campaign launched by an Iran-based hacker group that targets universities from around the world.

The group, tracked as COBALT DICKENS, is the same one whose members were indicted earlier this year by the U.S. Department of Justice for stealing 31.5TB of academic data from hundreds of U.S. and foreign universities.

The hackers are associated with an Iranian commercial entity called the Mabna Institute that’s believed to engage in cyberespionage on behalf of the Iranian government. The group uses phishing to steal credentials from university employees that are then used to copy academic journals, theses, dissertations, electronic books, intellectual property, emails and other confidential documents and files.

Researchers from SecureWorks recently came across 16 domains that were registered by COBALT DICKENS between May and August and which contained more than 300 spoofed websites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom and the United States.

“After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to enter their credentials again,” the SecureWorks researchers said in a blog post. “Numerous spoofed domains referenced the targeted universities’ online library systems, indicating the threat actors’ intent to gain access to these resources.”

These attacks highlight the need for educational institutions to implement multi-factor authentication schemes and to train their employees on how to spot phishing emails and spoofed login pages.

XSS Flaw Fixed in Apache ActiveMQ

A cross-site scripting (XSS) vulnerability was patched in Apache ActiveMQ, a popular open source message broker used by other applications to exchange data using several protocols.

The flaw was discovered by researchers from Trustwave and can be exploited by injecting encoded scripts into the “QueueFilter” parameter in ActiveMQ URIs. The malicious scripts would then execute on any client that accesses such a malformed URL.

“Despite being one of the most common website bugs, XSS often goes underestimated and unaddressed,” the Trustwave researchers said via email. “This is often because XSS doesn’t affect the web server itself. Instead only the clients, the web browsers, visiting the website are affected, which you would think would be just as big a concern.”

XSS can be easy to weaponize into real attacks and there are open source frameworks, such as the Browser Exploitation Framework (BeEF), that simplify the process for attackers, the researchers warned.

Companies that run ActiveMQ in their environments are advised to upgrade their installations to version 5.15.5, which was released earlier this month. The security page of the ActiveMQ project does not yet contain a security advisory for this issue.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)