Overview

Mirai is a botnet malware variant that compromises smart devices that operate on ARC processors, the aim of which is to formulate a network of bot machines to carry out distributed denial-of service (DDoS) attacks1. Mirai scans the internet for Internet of Things (IoT) devices that operate on the ARC processor. The malware has the capabilities of establishing a foothold on target systems if the username and password combination has not been reconfigured. Mirai initially infected and weaponised devices such as smart cameras and Realtek routers.

The botnet variant was created in a racketeering attempt by the cofounders of Protraf Solutions, an organisation offering DDoS mitigation services. The creators of Mirai originally leased out the Mirai Botnet variant for the implementation of DDoS attacks, as well as ‘click fraud’ attacks. The source code of Mirai was subsequently released into the wild, since when the code has constantly mutated and, as such, has led to the formation of more advanced botnet strains, such as: Okiru, Satori, Masuta and PureMasuta. These variants operate across the botnet model spectrum, namely those of: centralised botnets, tiered C&Cs and decentralised botnets.

In April 2023, the Mirari Botnet malware was detected to be actively exploiting a TP-Link Archer A21 (AX1800) WiFi router vulnerability.

Impact

The Mirai Botnet malware is particularly dangerous due to their abilities to implement DDoS attacks, which can prove difficult to remediate. Furthermore, IoT botnets have been documented to have implemented the following additional infection vectors on target systems:

• Denial-of-Service to legitimate traffic of Internet Service Providers
• Sending of spam email
• Launching of DDoS attacks to compromise websites and APIs
• Performance of click fraud attacks
• Disabling anti-virus software
• Solving weak CAPTCHA challenges on websites in order to imitate human behaviour during logins
• Theft of credit card information
• Hold companies to ransom with threats of DDoS attacks.