A malicious botnet called Mirai, which last year took down a huge swathe of the web in the US using the power of enslaved Internet-of-Things (IoT) devices, is evolving to the point it may soon be able to take over devices and use that networking power to mine bitcoins.
Threat researchers at IBM's "X-Force" division have uncovered a new variant of the notorious bot network that has an in-built component that mines for cryptocurrency. It was reportedly launched a short-lived, but highly worrying, eight-day campaign last month.
"The activity was barely a blip on the screen on 20 March, but then reached a 50% increase in volume just four days later," revealed IBM threat researchers Dave McMillen and Michelle Alvarez in a joint blog post published on 10 April (Monday).
"The new [Mirai] malware variant we discovered included another add-on: a bitcoin miner slave," the pair continued, adding: "This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins.
"Given Mirai's power to infect thousands of machines at a time there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven't yet determined that capability, but we found it to be an interesting yet concerning possibility.
"It's possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode." For security experts and general web users alike it's an unsettling development about the malware previously used as a massive cybercrime tool.
The previous method of attack was different, with Mirai's programmers coding ways to exploit web-connected devices such as webcams and internet routers to help launch distributed-denial-of-service (DDoS) attacks, which can take websites offline with ease.
Victims last year included Reddit, Spotify and Twitter. In November 2016, a version of Mirai successfully targeted nearly one million Deutsche Telekom routers. It went on to hit governments, telecommunications giants and media websites after its source code was published online.
"This new variant of ELF Linux/Mirai malware with the bitcoin mining component has us pondering," the researchers continued. "We know that as we move toward becoming a cashless society, there may be more incentive to mine for or purchase bitcoins.
"If the weaponisation of IoT devices into DDoS botnets is the latest malicious trend, then turning them into bitcoin miners may be just around the corner." In an advisory detailing the latest wave of attacks, X-Force said the latest campaign was recorded in North America and Japan.
It stated: "This malware is designed to scan for devices running Telnet services and attempt to compromise them. Infected nodes are then used to perform further attacks. [Mirai] is targeting DVR (dvrHelper), WebIP Cameras on busybox and other busybox powered Linux IoT boxes."