A new variant of the Mirai botnet, Katana is being identified recently by the Avira Protection Lab. The botnet is known to be under development, however, it already has various advanced capabilities like fast replication, secure C&C, layer 7 DDoS, and different encryption keys for each source. Katana has actively exploited security flaws in GPON, Linksys routers, and DLink to infected hundreds of devices.
The IoT botnet, Mirai has continually evolved since its source code was made publically available in 2017. A threat report published by Avira Protection Labs depicts this continuous evolution by highlighting how newer versions of Mirai are easily available — can be sold, bought, or sourced through YouTube channels, enabling amateur threat actors to develop malicious botnet. This increased the number of attacks. Furthermore, Katana is equipped with several classic features of the parent Botnet, Mirai, including running a single instance, a random process name. It also can edit and manipulate the watchdog to stop the system from restarting.
What is Mirai and how does it work?
Mirai is a malicious program that replicates itself and therefore is also known as a 'self-propagating' worm. It does so by searching and infecting vulnerable IoT devices. Altogether, Mirai is constructed upon two modules; one being a replication module and the other one being an attack module. As the affected devices are managed and directed by a central set of command and control (C&C) servers, it is also regarded as a botnet.
In one of their recent campaigns, attackers were seen downloading Sora, a variant of Mirai, from their server against vBulletin pre-auth RCE vulnerability. In another incident, a hacker was observed adopting Mira ..
Support the originator by clicking the read the rest link below.
