C&C server of the new version of Mirai hides in the Tor-network

A previously unseen version of the Mirai botnet is hiding its command servers on the TOR network. This conclusion made Trend Micro specialists who studied the malware sample.

Since the Mirai source code was published online in October 2016, cybercriminals have released malware options to expand its targeting capabilities and trap as many devices as possible in distributed botnet denial of service (DDoS) traps.

“The newly discovered Mirai sample, is proof that cybercriminals continue to develop and use the malware’s code despite the massive attention it has received over the years”, — Trend Micro points out.

According to analysts, the attackers placed the control center in an anonymous part of the Internet in order to avoid its detection and blocking by security systems.

According to the researchers, most Mirai clones have from one to four C&C servers. The identified sample contains in its code 30 IP addresses to which the program accesses during operation. Information security experts have determined that the malware sends the sequence of characters 05 01 00 to them, which is used as a request to establish a SOCKS5 connection.

Read also: A bug in the IoT camera allowed listening on its owners

After checking all the addresses indicated in the source code of the new clone, the experts found out that they are proxy servers designed to redirect data to the control center located on the TOR network.

“Connecting to the C&C with a Tor proxy in a testing environment, we confirmed this as it returned a login prompt for the attacker, exactly the same prompt as other C&C servers have returned with previous Mirai variants”, — Trend Micro reveals.

According to analysts, the program selected one of the IP addresses and tried to establish a connection through it, and in case of failure, switched to another proxy. Having opened the channel on the test machine, information security specialists received an authorization request from the Mirai command server, which confirmed their assumptions.

The new version of the botnet has typical features of this malware family. It scans the IP address space for open ports 9527 and 34567, commonly used by IoT devices. The malware uses the login and password search method to infiltrate the target system, and then uses the compromised equipment in DDoS attacks.

Security scanners can identify this strain by the line LONGNOSE: applet not found, included in the program code. Analysts searched for other Mirai variants related to this sample, and found a file server that contained botnet distributions for different chipsets.

“We find this particular sample interesting for the attackers’ decision to place the C&C server in Tor, likely to evade tracking of its IP address and avoiding being shut down when reported to domain hosts. […]While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families”, — Trend Micro concludes.


Mirai source code leaked on the Internet in 2016, and since then it has been used by several groups of attackers. One of the latest malware variants identified by information security specialists was armed with 13 exploits that use vulnerabilities in routers, IP cameras, DVRs, and Linux devices with the ThinkPHP framework installed.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button