We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses a text-based protocol to communicate with its C&C.
Miori’s unique protocol
Typical Mirai variants communicate with their respective C&Cs using a binary-based protocol. In that scenario, the C&C server would display a login prompt to get into the console that the attacker uses. The C&C server assumes that anyone who connects to the C&C server is the attacker trying to access the console, so that the login prompt asking for the username and password is displayed, as seen in Figure 1.