We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses a text-based protocol to communicate with its C&C.
Miori’s unique protocol
Typical Mirai variants communicate with their respective C&Cs using a binary-based protocol. In that scenario, the C&C server would display a login prompt to get into the console that the attacker uses. The C&C server assumes that anyone who connects to the C&C server is the attacker trying to access the console, so that the login prompt asking for the username and password is displayed.
This is not the case for this new Miori variant. When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the cybercriminals behind the variant are wary of security researchers’ usual methods.
Source: Trend Micro