Mirai malware temporarily had a bitcoin mining add-on on board

IBM security researchers have discovered a variant of the Mirai malware that temporarily included a bitcoin mining add-on. The phenomenon lasted about a week, after which the new variant disappeared from the radar again.

According to the researchers, the activity began in late March and lasted a total of eight days. The malware targeted Linux devices that have BusyBox on board. This could include IoT devices such as digital video recorders, which were also targeted by the original Mirai malware. The current version was based on an earlier Windows version of Mirai, which introduced sql injection and brute force attacks features.

However, a new feature was an add-on for mining bitcoins. The question this addition raises is whether IoT devices are able to perform this task effectively, as they require significant CPU and GPU performance. This question has not been answered by the researchers, but they argue that Mirai was created to infect thousands of devices, raising the possibility that the botnet could work together to be effective.

For example, mining mode could be enabled when the device is not performing other tasks. Normally, the Mirai botnet is used to carry out large DDOs attacks, such as on dns provider Dyn in October. After the source code of the malware came online, several variants of Mirai appeared. The short-lived activity as a bitcoin miner is not explained by the researchers, but gives the impression of a short test or a disappointing experiment.