SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.mirai (Back to overview)

Mirai

aka: Katana
URLhaus        

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

References
2022-10-20FortinetCara Lin
@online{lin:20221020:mirai:6945658, author = {Cara Lin}, title = {{Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability}}, date = {2022-10-20}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability}, language = {English}, urldate = {2022-11-21} } Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
Mirai
2022-05-20CrowdStrikeVlad Ciuleanu
@online{ciuleanu:20220520:mirai:77360aa, author = {Vlad Ciuleanu}, title = {{Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022}}, date = {2022-05-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/}, language = {English}, urldate = {2022-05-25} } Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
Mirai
2022-05-16RiskIQRiskIQ
@online{riskiq:20220516:riskiq:84b9ddd, author = {RiskIQ}, title = {{RiskIQ: Storm Clauds - New C2 Over DNS Mimics CloudFront}}, date = {2022-05-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/d8a78daf}, language = {English}, urldate = {2022-05-25} } RiskIQ: Storm Clauds - New C2 Over DNS Mimics CloudFront
Mirai
2022-05-12Lacework LabsChris Hall, Jared Stroud
@online{hall:20220512:malware:ff2f6a5, author = {Chris Hall and Jared Stroud}, title = {{Malware targeting latest F5 vulnerability}}, date = {2022-05-12}, organization = {Lacework Labs}, url = {https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/}, language = {English}, urldate = {2022-05-17} } Malware targeting latest F5 vulnerability
Mirai
2022-04-15TrustwaveRadoslaw Zdonczyk
@online{zdonczyk:20220415:tough:03a92ea, author = {Radoslaw Zdonczyk}, title = {{Tough Times for Ukrainian Honeypot?}}, date = {2022-04-15}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot}, language = {English}, urldate = {2022-08-17} } Tough Times for Ukrainian Honeypot?
Mirai
2022-04-15Center for Internet SecurityCIS
@online{cis:20220415:top:62c8245, author = {CIS}, title = {{Top 10 Malware March 2022}}, date = {2022-04-15}, organization = {Center for Internet Security}, url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022}, language = {English}, urldate = {2023-02-17} } Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-08Trend MicroDeep Patel, Nitesh Surana, Ashish Verma
@online{patel:20220408:cve202222965:53968ea, author = {Deep Patel and Nitesh Surana and Ashish Verma}, title = {{CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware}}, date = {2022-04-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html}, language = {English}, urldate = {2022-04-13} } CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware
Mirai
2022-04-08The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220408:hackers:71f1a10, author = {Ravie Lakshmanan}, title = {{Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html}, language = {English}, urldate = {2022-04-12} } Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware
Mirai
2022-04-01360 netlabhouliuyang, 黄安欣
@online{houliuyang:20220401:what:f58905c, author = {houliuyang and 黄安欣}, title = {{What Our Honeypot Sees Just One Day After The Spring4Shell Advisory}}, date = {2022-04-01}, organization = {360 netlab}, url = {https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/}, language = {English}, urldate = {2022-04-13} } What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
Mirai
2022-04-01FortinetJoie Salvio, Roy Tay
@online{salvio:20220401:fresh:1ba500a, author = {Joie Salvio and Roy Tay}, title = {{Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign}}, date = {2022-04-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign}, language = {English}, urldate = {2022-04-05} } Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
Mirai
2022-03-15JPCERT/CCShusei Tomonaga
@online{tomonaga:20220315:antiupx:f8c6f2f, author = {Shusei Tomonaga}, title = {{Anti-UPX Unpacking Technique}}, date = {2022-03-15}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html}, language = {English}, urldate = {2022-03-28} } Anti-UPX Unpacking Technique
Mirai
2022-02-25SOCRadarSOCRadar
@online{socradar:20220225:what:4bcc0aa, author = {SOCRadar}, title = {{What You Need to Know About Russian Cyber Escalation in Ukraine}}, date = {2022-02-25}, organization = {SOCRadar}, url = {https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/}, language = {English}, urldate = {2022-03-01} } What You Need to Know About Russian Cyber Escalation in Ukraine
Mirai HermeticWiper
2022-02-25360 netlabGhost
@online{ghost:20220225:details:66e35e3, author = {Ghost}, title = {{Details of the DDoS attacks we have seen recently against Ukraine and Russia}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/}, language = {Chinese}, urldate = {2022-03-01} } Details of the DDoS attacks we have seen recently against Ukraine and Russia
Bashlite Mirai Mirai
2022-02-25360 netlabGhost
@online{ghost:20220225:some:268b2df, author = {Ghost}, title = {{Some details of the DDoS attacks targeting Ukraine and Russia in recent days}}, date = {2022-02-25}, organization = {360 netlab}, url = {https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/}, language = {English}, urldate = {2022-03-02} } Some details of the DDoS attacks targeting Ukraine and Russia in recent days
Bashlite Mirai MooBot PerlBot
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-20Cado SecurityCado Security
@online{security:20220220:technical:9232633, author = {Cado Security}, title = {{Technical Analysis of the DDoS Attacks against Ukrainian Websites}}, date = {2022-02-20}, organization = {Cado Security}, url = {https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/}, language = {English}, urldate = {2022-02-26} } Technical Analysis of the DDoS Attacks against Ukrainian Websites
Mirai
2022-02-18Cert-UACert-UA
@online{certua:20220218:information:122b8b2, author = {Cert-UA}, title = {{Information on cyberattacks 15 February 2022}}, date = {2022-02-18}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/37139}, language = {Ukrainian}, urldate = {2022-05-04} } Information on cyberattacks 15 February 2022
Mirai
2022-02-16NetScoutRoland Dobbins, Steinthor Bjarnason
@online{dobbins:20220216:ddos:004dcc5, author = {Roland Dobbins and Steinthor Bjarnason}, title = {{DDoS Attack Campaign Targeting Multiple Organizations in Ukraine}}, date = {2022-02-16}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine}, language = {English}, urldate = {2022-02-19} } DDoS Attack Campaign Targeting Multiple Organizations in Ukraine
Mirai
2022-01-13CrowdStrikeMihai Maganu
@online{maganu:20220113:linuxtargeted:66d730c, author = {Mihai Maganu}, title = {{Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent}}, date = {2022-01-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/}, language = {English}, urldate = {2022-01-18} } Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent
Mirai Mozi XOR DDoS
2022-01-04forensicitguyTony Lambert
@online{lambert:20220104:extracting:176a37c, author = {Tony Lambert}, title = {{Extracting Indicators from a Packed Mirai Sample}}, date = {2022-01-04}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/}, language = {English}, urldate = {2022-01-25} } Extracting Indicators from a Packed Mirai Sample
Mirai
2021-12-15ZscalerRubin Azad
@online{azad:20211215:threatlabz:fcf4d6c, author = {Rubin Azad}, title = {{ThreatLabz analysis - Log4Shell CVE-2021-44228 Exploit Attempts}}, date = {2021-12-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts}, language = {English}, urldate = {2022-01-05} } ThreatLabz analysis - Log4Shell CVE-2021-44228 Exploit Attempts
Kinsing Mirai
2021-12-14Medium s2wlabS2W TALON
@online{talon:20211214:logs:198ffe4, author = {S2W TALON}, title = {{Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous}}, date = {2021-12-14}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039}, language = {English}, urldate = {2022-01-05} } Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous
Kinsing Mirai Tsunami
2021-12-13Cado SecurityCado Security
@online{security:20211213:analysis:6199122, author = {Cado Security}, title = {{Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228}}, date = {2021-12-13}, organization = {Cado Security}, url = {https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/}, language = {English}, urldate = {2022-01-18} } Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228
Kinsing Mirai Tsunami
2021-09-30laceworkLacework Labs
@online{labs:20210930:mirai:014ab03, author = {Lacework Labs}, title = {{Mirai goes Stealth – TLS & IoT Malware}}, date = {2021-09-30}, organization = {lacework}, url = {https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/}, language = {English}, urldate = {2021-10-11} } Mirai goes Stealth – TLS & IoT Malware
Mirai VPNFilter
2021-09-28NetlabHui Wang, Alex.Turing, YANG XU
@online{wang:20210928:miraiptearimasuta:2349f41, author = {Hui Wang and Alex.Turing and YANG XU}, title = {{Mirai_ptea_Rimasuta variant is exploiting a new RUIJIE router 0 day to spread}}, date = {2021-09-28}, organization = {Netlab}, url = {https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/}, language = {English}, urldate = {2021-10-24} } Mirai_ptea_Rimasuta variant is exploiting a new RUIJIE router 0 day to spread
Mirai
2021-09-18MicrosoftRussell McDonald
@online{mcdonald:20210918:hunting:2da3ec2, author = {Russell McDonald}, title = {{Hunting for OMI Vulnerability Exploitation with Azure Sentinel}}, date = {2021-09-18}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093}, language = {English}, urldate = {2021-09-22} } Hunting for OMI Vulnerability Exploitation with Azure Sentinel
Mirai
2021-09-07CUJOAIAlbert Zsigovits
@online{zsigovits:20210907:threat:cabca94, author = {Albert Zsigovits}, title = {{Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered}}, date = {2021-09-07}, organization = {CUJOAI}, url = {https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/}, language = {English}, urldate = {2021-09-10} } Threat Alert: Mirai/Gafgyt Fork with New DDoS Modules Discovered
Bashlite Mirai
2021-08-30Palo Alto Networks Unit 42Brock Mammen, Haozhe Zhang
@online{mammen:20210830:new:de3acd2, author = {Brock Mammen and Haozhe Zhang}, title = {{New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)}}, date = {2021-08-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/}, language = {English}, urldate = {2021-08-31} } New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
Mirai
2021-08-24RadwareRadware
@online{radware:20210824:darkiot:f2a414e, author = {Radware}, title = {{Dark.IoT Botnet Realtek AP-Router SDK Vulnerability CVE-2021-35395}}, date = {2021-08-24}, organization = {Radware}, url = {https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx}, language = {English}, urldate = {2021-08-30} } Dark.IoT Botnet Realtek AP-Router SDK Vulnerability CVE-2021-35395
Dark Mirai
2021-08-22YouTube (Uriel Kosayev)Uriel Kosayev
@online{kosayev:20210822:malware:cf3b942, author = {Uriel Kosayev}, title = {{Malware Analysis - Mirai Botnet Huawei Exploit}}, date = {2021-08-22}, organization = {YouTube (Uriel Kosayev)}, url = {https://www.youtube.com/watch?v=KVJyYTie-Dc}, language = {English}, urldate = {2021-08-25} } Malware Analysis - Mirai Botnet Huawei Exploit
Mirai
2021-07-01360 netlabHui Wang, Alex.Turing, Jinye, houliuyang, Chai Linyuan
@online{wang:20210701:miraiptea:3ba235e, author = {Hui Wang and Alex.Turing and Jinye and houliuyang and Chai Linyuan}, title = {{Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability}}, date = {2021-07-01}, organization = {360 netlab}, url = {https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/}, language = {English}, urldate = {2021-07-11} } Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability
Mirai
2021-06-30synthesis.to blogTim Blazytko
@online{blazytko:20210630:automation:4b8423b, author = {Tim Blazytko}, title = {{Automation in Reverse Engineering: String Decryption}}, date = {2021-06-30}, organization = {synthesis.to blog}, url = {https://synthesis.to/2021/06/30/automating_string_decryption.html}, language = {English}, urldate = {2021-07-12} } Automation in Reverse Engineering: String Decryption
Mirai
2021-06-24FortinetDavid Maciejak, Joie Salvio
@online{maciejak:20210624:ghosts:75b5f92, author = {David Maciejak and Joie Salvio}, title = {{The Ghosts of Mirai}}, date = {2021-06-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai}, language = {English}, urldate = {2021-06-29} } The Ghosts of Mirai
Mirai
2021-06-14AlienVaultFernando Martinez
@online{martinez:20210614:malware:0b975d7, author = {Fernando Martinez}, title = {{Malware hosting domain Cyberium fanning out Mirai variants}}, date = {2021-06-14}, organization = {AlienVault}, url = {https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants}, language = {English}, urldate = {2021-06-21} } Malware hosting domain Cyberium fanning out Mirai variants
Mirai
2021-05-17UptycsSiddartha Sharma, Ashwin Vamshi
@online{sharma:20210517:discovery:1cd5315, author = {Siddartha Sharma and Ashwin Vamshi}, title = {{Discovery of Simps Botnet Leads To Ties to Keksec Group}}, date = {2021-05-17}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group}, language = {English}, urldate = {2021-05-25} } Discovery of Simps Botnet Leads To Ties to Keksec Group
Bashlite Mirai
2021-04-15UptycsSiddharth Sharma
@online{sharma:20210415:mirai:9db8c55, author = {Siddharth Sharma}, title = {{Mirai code re-use in Gafgyt}}, date = {2021-04-15}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt}, language = {English}, urldate = {2021-04-19} } Mirai code re-use in Gafgyt
Bashlite Mirai
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-15Palo Alto Networks Unit 42Vaibhav Singhal, Ruchna Nigam, Zhibin Zhang, Asher Davila
@online{singhal:20210315:new:d276fac, author = {Vaibhav Singhal and Ruchna Nigam and Zhibin Zhang and Asher Davila}, title = {{New Mirai Variant Targeting New IoT Vulnerabilities, Including in Network Security Devices}}, date = {2021-03-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/}, language = {English}, urldate = {2021-03-22} } New Mirai Variant Targeting New IoT Vulnerabilities, Including in Network Security Devices
Mirai
2020-12-03360 netlabYanlong Ma, GenShen Ye
@online{ma:20201203:another:bb8fa99, author = {Yanlong Ma and GenShen Ye}, title = {{Another LILIN DVR 0-day being used to spread Mirai}}, date = {2020-12-03}, organization = {360 netlab}, url = {https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/}, language = {English}, urldate = {2020-12-08} } Another LILIN DVR 0-day being used to spread Mirai
Mirai
2020-10-20AviraAvira Protection Labs
@online{labs:20201020:katana:4dc0a7b, author = {Avira Protection Labs}, title = {{Katana: a new variant of the Mirai botnet}}, date = {2020-10-20}, organization = {Avira}, url = {https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet}, language = {English}, urldate = {2020-10-23} } Katana: a new variant of the Mirai botnet
Mirai
2020-10-14Palo Alto Networks Unit 42Ken Hsu, Yue Guan, Vaibhav Singhal, Qi Deng
@online{hsu:20201014:two:aa1efb9, author = {Ken Hsu and Yue Guan and Vaibhav Singhal and Qi Deng}, title = {{Two New IoT Vulnerabilities Identified with Mirai Payloads}}, date = {2020-10-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/}, language = {English}, urldate = {2020-10-23} } Two New IoT Vulnerabilities Identified with Mirai Payloads
Mirai
2020-08-03IBMAshkan Vila
@online{vila:20200803:infectednight:1ee30b4, author = {Ashkan Vila}, title = {{InfectedNight - Mirai Variant With Massive Attacks On Our Honeypots}}, date = {2020-08-03}, organization = {IBM}, url = {https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18}, language = {English}, urldate = {2022-05-03} } InfectedNight - Mirai Variant With Massive Attacks On Our Honeypots
Mirai
2020-07-28Trend MicroFernando Mercês
@online{mercs:20200728:mirai:3538243, author = {Fernando Mercês}, title = {{Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902}}, date = {2020-07-28}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/}, language = {English}, urldate = {2020-07-30} } Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
Mirai
2020-07-08Trend MicroTrend Micro
@online{micro:20200708:new:ee4cbf8, author = {Trend Micro}, title = {{New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173}}, date = {2020-07-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/}, language = {English}, urldate = {2020-07-13} } New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173
Mirai
2020-05-14paloalto Networks Unit 42Ruchna Nigam
@online{nigam:20200514:mirai:65d9d83, author = {Ruchna Nigam}, title = {{Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways}}, date = {2020-05-14}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/}, language = {English}, urldate = {2020-05-18} } Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways
Bashlite Mirai
2020-02-24The MalwareMustDie Blogunixfreakjp
@online{unixfreakjp:20200224:mmd00662020:0620daf, author = {unixfreakjp}, title = {{MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat}}, date = {2020-02-24}, organization = {The MalwareMustDie Blog}, url = {https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html}, language = {English}, urldate = {2020-02-27} } MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat
FBot Mirai
2019-10-02Politie NLPolitie NL
@online{nl:20191002:servers:08fffed, author = {Politie NL}, title = {{Servers botnet offline}}, date = {2019-10-02}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html}, language = {English}, urldate = {2020-01-08} } Servers botnet offline
Mirai
2019-09-10ReversingLabsJosip Milić
@online{mili:20190910:mirai:906e0a9, author = {Josip Milić}, title = {{Mirai Botnet Continues to Plague IoT Space}}, date = {2019-09-10}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space}, language = {English}, urldate = {2020-01-13} } Mirai Botnet Continues to Plague IoT Space
Mirai
2019-06-06Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20190606:new:916134e, author = {Ruchna Nigam}, title = {{New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices}}, date = {2019-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/}, language = {English}, urldate = {2020-03-09} } New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Echobot Mirai
2019-04-12Stratosphere LabMaría José Erquiaga
@online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } Analysis of an IRC based Botnet
Mirai
2019-04-08Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20190408:mirai:b25b562, author = {Ruchna Nigam}, title = {{Mirai Compiled for New Processors Surfaces in the Wild}}, date = {2019-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/}, language = {English}, urldate = {2019-11-26} } Mirai Compiled for New Processors Surfaces in the Wild
Mirai
2018-12-20Trend MicroAugusto Remillano II, Mark Vicente
@online{ii:20181220:with:8e827ba, author = {Augusto Remillano II and Mark Vicente}, title = {{With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit}}, date = {2018-12-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/}, language = {English}, urldate = {2019-11-29} } With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit
Mirai
2018-07-20Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20180720:unit:e044686, author = {Ruchna Nigam}, title = {{Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns}}, date = {2018-07-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/}, language = {English}, urldate = {2019-12-20} } Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Hakai Mirai
2017-12-13KrebsOnSecurityBrian Krebs
@online{krebs:20171213:mirai:bd2cb74, author = {Brian Krebs}, title = {{Mirai IoT Botnet Co-Authors Plead Guilty}}, date = {2017-12-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/}, language = {English}, urldate = {2020-01-08} } Mirai IoT Botnet Co-Authors Plead Guilty
Mirai
2017-11-24Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } Mirai Activity Picks up Once More After Publication of PoC Exploit Code
Mirai
2017-07-15Github (jgamblin)Jerry Gamblin
@online{gamblin:20170715:mirai:72ffffb, author = {Jerry Gamblin}, title = {{Mirai BotNet Source Code}}, date = {2017-07-15}, organization = {Github (jgamblin)}, url = {https://github.com/jgamblin/Mirai-Source-Code}, language = {English}, urldate = {2019-12-17} } Mirai BotNet Source Code
Mirai
2016-10-27Simon Roses Femerling BlogSimon Roses
@online{roses:20161027:mirai:01bd756, author = {Simon Roses}, title = {{Mirai DDoS Botnet: Source Code & Binary Analysis}}, date = {2016-10-27}, organization = {Simon Roses Femerling Blog}, url = {http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/}, language = {English}, urldate = {2020-01-07} } Mirai DDoS Botnet: Source Code & Binary Analysis
Mirai
2016-10-01KrebsOnSecurityBrian Krebs
@online{krebs:20161001:source:796f0bc, author = {Brian Krebs}, title = {{Source Code for IoT Botnet ‘Mirai’ Released}}, date = {2016-10-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/}, language = {English}, urldate = {2019-07-10} } Source Code for IoT Botnet ‘Mirai’ Released
Mirai
2016-05-02John BambenekJohn Bambenek
@online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } OSINT Feed
Mirai Banjori
Yara Rules
[TLP:WHITE] elf_mirai_auto (20230407 | Detects elf.mirai.)
rule elf_mirai_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects elf.mirai."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89d0 c1e005 01d0 89ca }
            // n = 4, score = 300
            //   89d0                 | mov                 eax, edx
            //   c1e005               | shl                 eax, 5
            //   01d0                 | add                 eax, edx
            //   89ca                 | mov                 edx, ecx

        $sequence_1 = { 66894104 7406 66c741064000 c6410911 }
            // n = 4, score = 300
            //   66894104             | mov                 word ptr [ecx + 4], ax
            //   7406                 | je                  8
            //   66c741064000         | mov                 word ptr [ecx + 6], 0x40
            //   c6410911             | mov                 byte ptr [ecx + 9], 0x11

        $sequence_2 = { 807c242b00 66894304 7406 66c743064000 }
            // n = 4, score = 300
            //   807c242b00           | cmp                 byte ptr [esp + 0x2b], 0
            //   66894304             | mov                 word ptr [ebx + 4], ax
            //   7406                 | je                  8
            //   66c743064000         | mov                 word ptr [ebx + 6], 0x40

        $sequence_3 = { 6689432a e8???????? c7433400000000 894330 c6433801 }
            // n = 5, score = 300
            //   6689432a             | mov                 word ptr [ebx + 0x2a], ax
            //   e8????????           |                     
            //   c7433400000000       | mov                 dword ptr [ebx + 0x34], 0
            //   894330               | mov                 dword ptr [ebx + 0x30], eax
            //   c6433801             | mov                 byte ptr [ebx + 0x38], 1

        $sequence_4 = { 894330 c6433801 c6433903 c6433a03 }
            // n = 4, score = 300
            //   894330               | mov                 dword ptr [ebx + 0x30], eax
            //   c6433801             | mov                 byte ptr [ebx + 0x38], 1
            //   c6433903             | mov                 byte ptr [ebx + 0x39], 3
            //   c6433a03             | mov                 byte ptr [ebx + 0x3a], 3

        $sequence_5 = { 3c19 7705 8d42e0 8801 }
            // n = 4, score = 300
            //   3c19                 | cmp                 al, 0x19
            //   7705                 | ja                  7
            //   8d42e0               | lea                 eax, [edx - 0x20]
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_6 = { 66c1e808 d0e8 8d04c0 28c2 }
            // n = 4, score = 300
            //   66c1e808             | shr                 ax, 8
            //   d0e8                 | shr                 al, 1
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   28c2                 | sub                 dl, al

        $sequence_7 = { 8b1408 895310 8b54080c 66895314 }
            // n = 4, score = 300
            //   8b1408               | mov                 edx, dword ptr [eax + ecx]
            //   895310               | mov                 dword ptr [ebx + 0x10], edx
            //   8b54080c             | mov                 edx, dword ptr [eax + ecx + 0xc]
            //   66895314             | mov                 word ptr [ebx + 0x14], dx

    condition:
        7 of them and filesize < 2228224
}
Download all Yara Rules