Windows Mirai

The Windows Mirai trojan was discovered in February 2017 and is used to help the Mirai botnet spread to even more devices. The Mirai botnet was created by infecting a device, selecting a random IP address, and then attempting to log in via a list of default admin credentials; however, Mirai’s self-propagation could only be used on Linux operating systems. The Windows Mirai trojan assists cybercriminals in launching password-guessing attacks from Microsoft Windows devices. It infects a device and then contacts an online C2 server to download a list of IP addresses. The trojan attempts to log into the devices residing at the IP address via a series of ports, including:

  • 22 – Telnet
  • 23 – SSH
  • 135 – DCE/RPC
  • 445 – Active Directory
  • 1433 – MSSQL
  • 3306 – MySQL
  • 3389 – RDP

When the Windows Mirai trojan infects a device, if the underlying platform runs Linux, it will execute commands in order to add the device as a new Mirai bot. When the trojan spreads to a new Windows device, it copies itself onto it and continues to target new devices. When it infects a database, it creates a new user with admin privileges and attackers can use this to steal data from infected devices. 

Technical Details

Dr.Web provides technical details on the Windows Mirai trojan, here.