A new variant of the Mirai botnet has been found to use as many as 13 different exploits to target routers and other IoT devices. The malware, called Backdoor.Linux.MIRAI.VWIPT, includes both backdoor and DDoS capabilities.
The Mirai variant uses three XOR keys to encrypt data and uses four different URLs to complete its infection process. These are:
- hxxp://32[.]235[.]102[.]123:1337
- hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.arm7
- hxxp://ililililililililil[.]hopto[.]org/shiina/tmp.mips
- hxxp://ililililililililil[.]hopto[.]org/love.sh
While the first URL is used as the command-and-control link, the rest serve as links for downloading and dropping malicious payloads. The 13 exploits take advantage of flaws in routers, surveillance products, and other devices.