Mirai-Variant IoT Botnet Used to Target Financial Sector in January 2018
(Apr 5, 2018)
A variant of the “Mirai” Distributed Denial-of-Service (DDoS) malware called “IoTroop” (Reaper) may be responsible for the DDoS attacks that targeted financial institutions between January 27 and January 28, 2018. IoTroop was first reported on in October 2017 and is capable of infecting multiple types of Internet-of-Things (IoT) devices such as CCTVs and televisions. Recorded Future researchers note that this malware can be updated easily because it was created with “a flexible Lua engine and scripts, which means that instead of being limited to static, pre-programmed attacks or previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available.”
Recommendation: The Mirai botnet takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. With this in mind, it is likely that IoTroop uses the same tactic when infecting vulnerable devices in addition to using exploits. Any device that connects to the internet must be treated as a security liability, and default usernames/passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.