Mirai Botnet Starts Mining for Bitcoins In New Twist

IBM X-Force has discovered a first-of-its-kind variant of the ELF Linux/Mirai malware that has a built-in component designed to mine bitcoins.

The variant was first discovered without the bitcoin mining capability in August 2016, but traffic from the new strain containing links to ELF 64-bit binary files started towards the end of March 2017, increased by 50 percent in four days and disappeared another four days later.

According to Dave McMillen, senior threat researcher at IBM managed security services, this new Mirai strain was similar to another recently-created version that leverages a Windows Trojan, but was focused on attacking Linux machines running BusyBox, a software that describes itself as the swiss army knife of embedded Linux.

Mirai Mining

The Windows version contained some extra capabilities from normal Mirai botnets such as SQL injection and brute-force attack tools, but the new ELF Linux/Mirai malware variant boasts an extra add-on in the form of a bitcoin miner slave.

This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all, McMillen writes. Given Mirai's power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium.

We haven't yet determined that capability, but we found it to be an interesting yet concerning possibility. Its possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.

In a blog post, McMillen also highlighted the benefits of focusing on bitcoin mining due to society's growing preference of cashless payments, especially seeing as cyber criminal activity is often funded by the cryptocurrency.

However, he questioned the economic validity of such a strategy: Almost four years ago, Krebs on Security discussed...

Comments are closed.