Full Report
A new variant of the Mirai botnet can set up proxy servers on infected IoT devices
Analysis Summary
# Tool/Technique: OMG Botnet (Mirai Variant)
## Overview
OMG is a variant of the notorious **Mirai** botnet. While it retains the standard Mirai capabilities of conducting Distributed Denial of Service (DDoS) attacks, its primary innovation is the transformation of infected IoT devices into a network of proxy servers. This allows threat actors to route malicious traffic through compromised devices to mask their origin.
## Technical Details
- **Type:** Malware Family (Mirai Variant/Botnet)
- **Platform:** Linux-based IoT devices (various architectures including ARM, MIPS, x86)
- **Capabilities:** DDoS, Proxying (HTTP/SOCKS), Brute-forcing, Remote Command Execution
- **First Seen:** Early 2018
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110.001 - Brute Force: Password Guessing (Telnet/SSH)
- **TA0005 - Defense Evasion**
- T1090.002 - Proxy: External Proxy
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- T1573.001 - Encrypted Channel: Symmetric Cryptography
- **TA0040 - Impact**
- T1498.001 - Network Denial of Service: Direct Network Flood
## Functionality
### Core Capabilities
- **Propagation:** Uses a built-in scanner to identify vulnerable IoT devices via Telnet/SSH brute-force using a hardcoded list of default credentials.
- **DDoS Engine:** Inherits standard Mirai attack vectors such as UDP, TCP, and HTTP floods.
- **Persistence:** Resides in volatile memory; while a reboot clears the infection, the device is often immediately re-infected by the scanner.
### Advanced Features
- **Proxy Server Implementation:** The malware sets up 3Proxy (an open-source proxy server) or similar custom routines to turn the device into an **O**ld **M**enu **G**ame (hence namespaced "OMG") proxy node.
- **Firewall Manipulation:** To ensure the proxy functionality works, the bot manipulates `iptables` to allow traffic on specific ports (often 3486 TCP/UDP) while closing common ports to prevent competing malware from seizing control.
- **Modular Configuration:** Receives specific instructions from its C2 to enable or disable the proxy module independently of the DDoS module.
## Indicators of Compromise
*(Note: As this is a legacy 2018 variant, specific hashes may vary by sub-distribution)*
- **File Names:** `omg`, `dvrhelper`
- **Network Indicators:**
- C2 Domains: `cc[.]omgbotnet[.]com` (defanged)
- C2 IP: `185[.]62[.]190[.]191` (defanged)
- **Behavioral Indicators:**
- Outbound scanning on ports 23 and 2323.
- Presence of established SOCKS/HTTP proxy connections on high-numbered random ports.
- Modification of `iptables` rules via shell commands.
## Associated Threat Actors
- Primarily used by cybercriminals (e.g., botnet-for-hire operators) rather than specific APT groups.
## Detection Methods
- **Signature-based detection:** Scanning for Mirai-specific byte patterns in ELF headers.
- **Behavioral detection:**
- Monitoring for high-volume Telnet/SSH connection attempts (scanning behavior).
- Detecting unauthorized changes to local firewall configurations (`iptables`).
- Identifying the execution of the `3proxy` binary on non-standard IoT environments.
- **Network Traffic Analysis:** Identifying unusual proxy traffic (SOCKS5/HTTP) originating from IoT devices that typically only communicate with cloud manufacturer servers.
## Mitigation Strategies
- **Prevention measures:** Change all default credentials on IoT devices immediately upon deployment.
- **Hardening recommendations:**
- Disable Telnet and SSH services if they are not strictly required for operation.
- Place IoT devices behind a dedicated firewall or on a segmented VLAN.
- Implement egress filtering to prevent devices from initiating outbound connections to arbitrary IP addresses.
## Related Tools/Techniques
- **Mirai:** The original source code from which OMG is derived.
- **3Proxy:** The legitimate open-source tool repurposed by the malware for proxying.
- **Satori / Okiru:** Other prominent Mirai variants that evolved chronologically alongside OMG.