Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices --smart signage TVs and wireless presentation systems.

This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year.

The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits.

Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment.

Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today.

The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices.

The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems.

Typically, Mirai botnets have targeted routers, modems, security cameras, and DVRs/NVRs. In some very rare occasions, Mirai malware has ended up on smart TVs, smartphones, and some enterprise Linux and Apache Struts servers. However, these are rare events.

However, according to Palo Alto Networks researchers, this new Mirai botnet they spotted this year is intentionally targeting two new device types using specially crafted exploits, namely LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

Both the exploits they're using have been previously available online for months[1, 2], but this is the first time these exploits have been weaponized.

Palo Alto Networks' report detailing this new botnet comes just two days after security researcher Troy Mursch of Bad Packets highlighted a noticeable uptick in Mirai activity.

Mirai-like detections continue an upward trend over the last 60 days. Largest spike of activity happened in the last two weeks. @circl_lu has shared a similar observation.



Will botnets infected with Mirai-like #malware ever go away? pic.twitter.com/MVMBHNa5lV — Bad Packets Report (@bad_packets) March 16, 2019

Mirai-like #malware infections last 365 days by port targeted: https://t.co/jJ77DcDOO3



Top 10 ports/services targeted:

23/tcp – Telnet

5555/tcp – ADB

2323/tcp – Telnet

80/tcp – HTTP

22/tcp – SSH

8080/tcp – HTTP

81/tcp – HTTP

37215/tcp – Huawei

8000/tcp – HTTP

8081/tcp – HTTP pic.twitter.com/kRhegcl8na — Bad Packets Report (@bad_packets) March 17, 2019

Related malware and cybercrime coverage: