The IoT botnet, Mirai has continually evolved since its source code was made publically available in 2017. A threat report published by Avira Protection Labs depicts this continuous evolution by highlighting how newer versions of Mirai are easily available — can be sold, bought, or sourced through YouTube channels, enabling amateur threat actors to develop malicious botnet. This increased the number of attacks. Furthermore, Katana is equipped with several classic features of the parent Botnet, Mirai, including running a single instance, a random process name. It also can edit and manipulate the watchdog to stop the system from restarting.
What is Mirai and how does it work?
Mirai is a malicious program that replicates itself and therefore is also known as a 'self-propagating' worm. It does so by searching and infecting vulnerable IoT devices. Altogether, Mirai is constructed upon two modules; one being a replication module and the other one being an attack module. As the affected devices are managed and directed by a central set of command and control (C&C) servers, it is also regarded as a botnet.
In one of their recent campaigns, attackers were seen downloading Sora, a variant of Mirai, from their server against vBulletin pre-auth RCE vulnerability. In another incident, a hacker was observed adopting Mirai source code to launch his variant of the malware named Scarface and Demon, which later were used to target YARN exploit and DVR exploit.
While giving insights on the matter, Alexander Vukcevic, Director of Avira Protection Labs, told, "Katana contains several features of Mirai. These include running a single instance, a random process name, editing the watchdog to prevent the device from restarting, and DDoS commands,"
"The problem with new Mirai variants like Katana is that they are offered on the DarkNet or via regular sites like YouTube, allowing inexperienced cybercriminals to create their botnets."