Dark Reading on a new Mirai botnet variant OMG which aims to turn infected IoT devices into proxy servers as a potential method for generating income:
“One way to earn money with proxy servers is to sell the access to these servers to other cybercriminals,” Fortinet said in a blog post this week. Proxies give cybercriminals a way to remain anonymous when carrying out malicious activity like cyber theft, or breaking into systems.
“Adversaries could also spread multiple attacks through a single source. They could get around some types of IP blocking and filtering,” as well, according to a Fortinet spokesperson.
OMG uses an open source tool called 3proxy as its proxy server. For the proxy to work properly, OMG includes two strings containing a command for adding and removing certain firewalls rules so as to allow traffic on two random ports, Fortinet said. OMG also packs most of the functionality of the original Mirai malware, including the ability to look for open ports and kill any processes related to telnet, http, and SSH and to use telnet brute-force logins to spread, Fortinet said.
When installed on a vulnerable IoT device, OMG initiates a connection to a command-and-control server and identifies the system as a new bot. Based on the data message, the C&C server then instructs the bot malware whether to use the infected IoT device as a proxy server or for DDoS attacks – or to terminate the connection.
According to Fortinet, OMG is the first Mirai variant that incorporates both the original DDoS functionality as well as the ability to set up proxy servers on IoT devices.
Attackers are always creating new ways of leveraging their malware toolset. This is a pretty interesting use-case and probably not likely one attractive to most actors. Nonetheless, although a novel use of Mirai, it is just as dangerous as its predecessors and therefore needs to be properly eradicated before it causes any major damage.