There are new articles available, click to refresh the page.
Today โ€” 20 May 2022Main stream

Threat Roundup for May 13 to May 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022

20 May 2022 at 09:02
  • According to CrowdStrike research, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021
  • Mirai malware variants that targeted 32-bit x86 processors increased the most (120% in Q1 2022 vs. Q1 2021)
  • Mirai malware is used to compromise internet-connected devices, amass them into botnets and use their collective power to conduct denial of service attacks
  • Mirai variants continuously evolve to exploit unpatched vulnerabilities to expand their attack surface

Popular for compromising internet-connected devices and conducting distributed denial of service (DDoS) attacks, Mirai malware variants have been known to compromise devices that run on Linux builds ranging from mobile and Internet of Things (IoT) devices to cloud infrastructures.ย 

According to internal and open-source data analyzed by the CrowdStrike malware research team, while the ARM CPU architecture (used in most mobile and IoT devices) remains the most prevalent among Mirai variants, the number of 32-bit x86 Mirai variants (used on Linux servers and networking equipment) increased by 120% in Q1 2022 compared to Q1 2021. ARM-compiled variants increased by only 10% during the same timespan, according to internal and open-source data analyzed by CrowdStrike researchers. On average, the number of Mirai variants compiled for both 32- and 64-bit x86 CPU architectures has increased by 101% during the same timespan.ย 

From a malware developer perspective, focusing on compiling variants for the x86 monoculture rather than all of the CPU architectures used by Linux-running IoT devices likely involves less effort from a code maintenance standpoint, while expanding the attack surface to include Linux-running devices with more computing power.

Figure 1. Mirai variants distribution based on builds compiled for specific CPU architectures (Q1 2021 vs Q1 2022)

Why Linux Botnets?ย 

The Linux operating system powers most of the worldโ€™s data centers, web servers and cloud services, and also a wide range of network, mobile and IoT devices. Regardless of the CPU architecture powering these devices, their sheer volume creates a very large attack surface for threats and cybercriminals to amass these devices into massive botnets and use them for launching denial of service attacks.

Botnets are the result of malware that automatically replicates and spreads to vulnerable devices, enabling botmasters to seize remote control over all compromised devices. The most common use for botnets, apart from performing DDoS, involves using them as proxy servers or for cryptocurrency mining; each activity is bad in its own way.

For more information on botnets and how they work and how to protect against botnets, check out this CrowdStrike Cybersecurity 101 page.

Figure 2. Example of Centralized Client-Server botnet infrastructure

Mirai Is Constantly Evolving

Whatโ€™s special about Mirai is that its source code and instructions on how to set the botnet were made public in late 2016 by its developer, and traces of that original code can now be found in multiple recent Mirai variants.ย 

While brute-force attacks to log in to internet-connected devices remain a preferred method for spreading various Mirai variants, going for devices with high-bandwidth, low-latency internet connections and higher computing power requires new methods for compromise, moving away from smart devices to more powerful Linux-running devices.

Many of the original Mirai features have made their way to existing variants, such as setting up signal-based control flow to make dynamic analysis harder; self-deleting the executable; changing the process name and the command line to avoid detection; preventing system reboot; stopping processes associated with remote administration tools like SSH and Telnet; stopping โ€œcompetingโ€ malware processes; and searching for new targets to infect. But, newer variants have slightly different implementations or add new exploit capabilities to increase the attack surface.

For example, whenever a new exploit becomes public, such as the recent Log4j vulnerability, itโ€™s quickly integrated by malware developers into various Mirai variants. The Log4j logging library is used by countless applications and is not limited to applications running on a specific operating system or CPU architecture.

Figure 3. Mirai variant exploiting the Log4Shell vulnerability (8d80490b35ebb3f75f568ed4a9e8a7de28254c2f7a6458b4c61888572a64197e)

As seen in Figure 3, the vulnerable application (in this case, a networking device) will load and instantiate a Java class found at the attackerโ€™s IP address and execute whatever code the attacker put in it.

CrowdStrike Falcon Protection for Linux

Minimum recommendations for preventing Mirai infection on IoT devices involve using custom passwords, updated software and recent hardware, if possible.ย 

Since Linux is one of the primary operating systems for business critical applications and infrastructures โ€” regardless of if on-premises or in private and public clouds โ€” itโ€™s critical to protect these systems with a solution that provides protection and visibility across all Linux workloads, regardless of location.ย 

The CrowdStrike Falconยฎ platform protects Linux workloads, including containers, whether they run in public and private clouds, on-premises or in hybrid data centers. To effectively detect and protect against Mirai variants, CrowdStrike researchers continuously analyze and understand how they operate and how they continue to evolve to build better automated detection capabilities.ย 

Figure 4. CrowdStrike Falcon detects Mirai x86 upx-packed Linux sample using on-sensor machine learning (3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d) (Click to enlarge)

Machine learning (on sensor and in the cloud), behavior-based indicators of attack (IOAs) and custom hash blocking โ€” all built into the Falcon platform โ€” can help defend Linux workloads against malware and sophisticated threats, offering complete visibility and context into any attack on Linux workloads.

Indicators of Compromise (IOCs)

Variant Platform Hash Notable features
Original x86 0a38acadeb41536f65ed89f84cc1620fb79c9b916e0d83f2db543e12fbfd0d8c Debug symbols
Greek Helios x86 bc5f1b69b6edfd58a56b104568cb73fe74ccefea6651b1a1bcf7613331b56597 Modified proc killer, ends โ€œcompetingโ€ Mirai variants
Original x86 upx 3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d Upx
Miori x86-64 58d2db0bc8d93a30101eb87ef28c7dbf1af61ae2ebc355f6a236ab594a236f4b Larger encrypted string table
Modified Satori arm e666e0c720387db27e23c65d6a252f79587ca1b9d1c38e96d6db13b05d5b73fa Debug symbols, exploit for Huawei, GPON routers + jaws web server.
2022 log4j arm 3d604ebe8e0f3e65734cd41bb1469cea3727062cffc8705c634558afa1997a7a Multiple router exploits + thinkPHP, jaws, log4j exploit
Cross breed arm upx ac13002f74249e0eab2dacb596a60323130664b8c19d938af726508fdc7500a2 Miraiโ€™s encrypted string table, debug symbols
Mirai + Mozi MIPS 2067f740253b010d7a7b01dedee9ee897fb4255b9fc10f76f5ea9f6fd165bde6 Upx with broken magic, p_info and padding at the end to prevent unpacking. Contains exploits for a variety of routers and web servers.
Cross-breed x86-64 upx d1a71eed917cc23729f04fb6fb630209878419aef404ebe940dea8eccaac68de Minimalist main, uses Miraiโ€™s killer, gafgytโ€™s tables, functions broken into pieces, heavily modified control flow

Additional Resources

Metastealer โ€“ filling the Racoon void

Author: Peter Gurney


MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Analysts at Israeli dark web intelligence firm Kela first identified its emergence on underground marketplaces [1] and later as being used in a spam campaign by SANS Internet Storm Centre Handler Brad Duncan [2], where the initial stages and traffic were detailed. This analysis further describes the final MetaStealer payload detailing its functionality.

Significant findings include:

  • Heavy reliance on open-source libraries
  • Microsoft Defender Bypass
  • Scheduled Task Persistence
  • Password Stealer
  • Keylogger
  • Hidden VNC server
ย Figure 1 MetaStealer Loader Execution

Technical Analysis

Defender Bypass

Early on in execution, the below command is executed using PowerShell:

powershell -inputformat none -outputformat none โ€“NonInteractive -Command Add-MpPreference -ExclusionExtension "exe"

As can be seen below in Figure 2 the command adds an exclusion rule to Microsoft Defender, effectively turning off scanning of files with โ€˜.exeโ€™ extension. This decreases the chances of the main payload being detected as well as any subsequent payloads that may be delivered to the target host post infection.

Figure 2 Defender Exclusion

With the Microsoft Defender exclusion in place another PowerShell command is issued that proceeds to rename the original file to a hardcoded value with an .exe extension. In this case {Original filename}.xyz to hyper-v.exe

powershell rename-item -path .xyz -newname hyper-v.exe


To maintain persistence, a scheduled task is created using The Component Object Model (COM), a task named sys is created in the folder \Microsoft\Windowsโ€™ The task is set to trigger at user login, ensuring the malware remains persistent across reboots.

Figure 3 String de-obfuscation example

String Obfuscation

While several strings from included libraries are visible within the sample, the majority of strings within MetaStealerโ€™s main code are encrypted and only decrypted as needed during runtime. To achieve this, the encrypted strings are moved onto the stack and decrypted with a bitwise XOR operation for use during execution. A Python representation of the routing can be seen below with an example seen below in Figure 4

def swap32(x):
    return int.from_bytes(x.to_bytes(8, byteorder='little'), byteorder='big', signed=False)

def split_hex(input):
    text = hex(input)
    text = text[2:]
    text = text.zfill(len(text) + len(text) % 2)
    output = " ".join(text[i: i+2] for i in range(0, len(text), 2))
    return(output.split(' '))

hexIntXOR = []
hexIntKey = []


hexbytesxor = []
hexbyteskey = []

for HexInt in hexIntXOR:
    hexBytes = split_hex(HexInt)
    hexbytesxor = hexbytesxor + hexBytes

for HexInt in hexIntKey:
    hexBytes = split_hex(HexInt)
    hexbyteskey = hexbyteskey + hexBytes

count = 0
for hexByte in hexbytesxor:
    print(chr(int(hexByte, base=16) ^ int(hexbyteskey[count], base=16)), end='')
Figure 4 String de-obfuscation example

Command and Control

PCAPs from the SANS Internet Storm Centre report show that while initial C2 registration traffic was successful, later requests resulted in an HTTP 400 error code reply. Our own tests confirm this behaviour indicating this specific campaign was short-lived with commands no longer issued to new infections. This is likely a direct attempt to limit further analysis of the command and control communication protocol by analysts.

The sample contains a hardcoded Command and Controlย  server, in this case, 193.106.191[.]162:1775, which is decryptedย by the standard string decryption routine described in the previous section.

Connection to the command and control infrastructure is performed over HTTP using the library โ€˜cpp-httplibโ€™ [3], resulting in the user agent cpp-httplib/0.10.1 being used.

The initial connection is performed to the URL path /api/client/new, decrypted using the XOR routine detailed earlier. This connection is simply a get request with no further information included and expects a reply in JSON format, as can be seen in Figure 5

Figure 5 Registration connection

The UUID in the ok key is used as a BotId and changes on each new registration request.

To parse the JSON string, another open-source library is utilised (Nlohmann JSON [4]), extracting the BotId, which is subsequently written to the file %localappdata%\hyper-v.ver in plaintext allowing the BotId to remain persistent across reboots.

The second request to the command and control server begins with a new JSON object being created utilising the Nlohmann JSON library. The UUID key is populated with the UUID received from the earlier registration request.

Figure 6 get worker request body

The URL path /tasks/get_worker is decrypted and used to make a POST request to the command and control server, including the UUID JSON string. At the time of writing, the server replies to this command with a HTTP 400 error code as seen in Figure 7.

Figure 7 get worker request

The final identified command and control request uses the URL path โ€˜/tasks/collectโ€™ following the completion of any tasks issued. A POST request is made detailing the success or failure of the task along with additional data such as stolen information or command output.

Command and Control Commands

Command ID Function Description
1001 System Information Spawn cmd.exe process with the command line system info and read output using attached pipes.
1002 Cookie Stealer Access Cookie data from the following locations (location can change based on a currently installed version check): Chrome โ€˜C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default{\Network (depending on version check) }\Cookiesโ€™ Firefox C:\Users\{user}\AppData\Roaming\Mozilla\Firefox\Profiles\cookies.sqlite Edge C:\Users\{user}\AppData\Local\Microsoft\Edge\User Data\Default{\Network (depending on version check) }\Cookies
1003 Password Stealer Access saved password data from the following locations: Chrome C:\Users\{user}\AppData\Local\Google\Chrome\User Data\Default\Login Data Firefox C:\Users\{user}\AppData\Roaming\Mozilla\Firefox\Profiles\ logins.json / signons.sqlite C:\Users\{user}\AppData\Local\Microsoft\Edge\User Data\Default\LoginData ย 
1004 Start keylogger Start keylogger on the following applications: ChromeFirefoxNotepad
1005 Stop keylogger Stop Keylogger
1006 Start HVNC Setup Hidden Virtual Network Connection by creating a hidden desktop and network connectivity using sockets through the open-source library Kissnet [5]
1007 Stop HVNC Stop HNVC
1008 Execute Command Execute the given command using a spawned cmd.exe process and read the result using connected pipes.
Table 1 Command and Control Commands



  • 193.106.191[.]162:1775
  • cpp-httplib/0.10.1
  • hyper-v.exe


rule metaStealer_memory {
      description = "MetaStealer Memory"
      author = "Peter Gurney"
      date = "2022-04-29"
      $str_c2_parse = {B8 56 55 55 55 F7 6D C4 8B C2 C1 E8 1F 03 C2 8B 55 C0 8D 04 40 2B 45 C4}
      $str_filename = ".xyz -newname hyper-v.exe" fullword wide
      $str_stackstring = {FF FF FF C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF}
      uint16(0) == 0x5a4d and
      2 of ($str_*)


[1]ย ย ย ย ย ย ย  https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/

[2]ย ย ย ย ย ย ย  https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/

[3]ย ย ย ย ย ย ย  https://github.com/yhirose/cpp-httplib

[4]ย ย ย ย ย ย ย  https://github.com/nlohmann/json

[5]ย ย ย ย ย ย ย  https://github.com/Ybalrid/kissnet

  • There are no more articles