A version of Mirai, called IZ1H9, has become the dominant variant of the dreaded botnet, infecting countless Linux devices and using them for different nefarious purposes.
According to Unit 42, the cybersecurity arm of Palo Alto Networks, which has been tracking IZ1H9 since August 2018, whose researchers revealed that since November 2021, a single threat actor has been actively deploying the variant.
The campaign was only spotted in mid-April this year, and among other things, the threat actor was targeting endpoints that are already infected with Mirai, wiping previous iterations in order to only keep IZ1H9.
“The malware also contains a function that ensures the device is running only one instance of this malware. If a botnet process already exists, the botnet client will terminate the current process and start a new one,” the researchers explained. The malware comes with a list of processes belonging not just to other botnet families, but also to other variants of Mirai. If it finds these processes running on the device, it will terminate them.
IZ1H9 initially spreads through HTTP, SSH and Telnet protocols, the researchers added, saying that the best protection is to keep Linux devices patched and updated.
“To combat this threat, it is highly recommended that patches and updates are applied when possible,” the researchers concluded.
Botnets such as this one are usually used to mount Distributed Denial of Service (DDoS) attacks. DDoS is one of the most popular forms of attack out there, and it works by rendering a tool, or service (such as, for example, a website) inaccessible. In a DDoS attack, the attacker would flood the target server with so much bogus traffic that the server can’t handle it and eventually becomes clogged.
To get that kind of traffic, the attacker will need countless devices (such as Linux IoT devices, for example) to send traffic packets to the same address.