Reverse Engineering ARM based Mirai Botnet

Welcome to a deep dive into a real-world incident response case involving an ARM-based Mirai botnet sample. In this blog post, I’ll walk you through my methodology and insights gained when uncovering how this notorious piece of malware operates. I hope to not only equip you with technical knowledge but also inspire you to strive for continued excellence and mastery in the cybersecurity field.

Introduction: The Power of Mirai Botnets

Mirai botnets have been around for several years, enslaving IoT devices, routers, DVRs, and Linux servers to build extensive networks of “zombie” machines. These machines are then leveraged to launch devastating Distributed Denial of Service (DDoS) attacks, exfiltrate data, and establish stealthy backdoors. My experience with one of my incident response engagements revealed how threat actors target publicly exposed devices—often through unpatched CVEs or default credentials—to gain entry and infect systems at scale.

Understanding the Sample: Initial Observations

In this particular case, I found an ARM-compiled Mirai botnet sample. The anti-virus checks labeled it as “Mirai,” matching what I found in the documentation, sandbox analyses, and community threat intelligence sources. Mirai is known to compile variants for multiple architectures (ARM, MIPS, x86, x64, etc.), making it adaptable and widespread.

Key characteristics noted:

• Persistence: Mirai placed cron jobs and suspicious files (e.g., .viminfo) to ensure it would restart even if discovered and partially removed.
• High Entropy Data: The ELF binary was UPX-packed, which is common in malware packing practices to obfuscate code.
• Network Communication: The sample made GET and POST requests to various servers, likely its command-and-control (C2) infrastructure.

Unpacking the Malware

Using tools like HxD, Detect It Easy, and UPX, I unpacked the ELF binary, which revealed strings and functions hidden under the compressed data. These strings included references to commands, remote servers, typical Mirai features like “busybox,” and a suspicious user agent “rootsec-ownview.”

Why UPX Packing Matters

UPX (Ultimate Packer for eXecutables) is widely used by both legitimate and malicious software to reduce file size. Once unpacked, researchers can more easily read hidden strings and analyze the binary’s behavior. This step is crucial for any reverse engineering or threat hunting process—always verify if the file is packed and decompress it before deeper static analysis.

Digging into the Code

After unpacking, I used static and dynamic analysis to identify how the code orchestrates system commands on the infected device. Several interesting findings emerged:

1. Shell Commands via SHC
   It appears the attackers compiled a Bash script into an ELF binary—potentially using tools like SHC—allowing them to execute shell commands such as iptables, systemctl, and more. This approach also evades basic signature-based detection.
2. Syscall Usage (SVC in ARM)
   In ARM architectures, the SVC (Supervisor Call) instruction functions similarly to syscall in x86. By examining the subroutines in IDA, we noticed repeated usage of SVC to execute privileged operations and run built-in Linux commands.
3. Memory Management
   Reading the ELF sections and analyzing them in IDA, I spotted multiple code blocks dedicated to controlling memory, loading shell commands, and preserving those commands for repeated use.
4. Persistence Techniques
   • Cron Jobs: A typical crontab insertion ensures the script is run periodically.
   • .viminfo: Less obvious is the .viminfo file, usually storing Vim editor history. Attackers exploit it as a sneaky way to re-launch malicious code automatically.

Lessons Learned: Elevating Your Cybersecurity knowledge

1. Always Validate Binary States
   Check for packing, such as UPX, to ensure you’re seeing the true code.
2. Look for Novel Persistence Mechanisms
   Attackers are creative. Move beyond known cron jobs or services—files like .viminfo show that threat actors constantly evolve.
3. Go Beyond Signature-Based Detection
   Many enterprise-grade solutions failed to detect this sample. A multi-layered security posture and vigilant monitoring of network behavior are essential.
4. Cultivate Reverse Engineering Skills
   By examining assembly instructions (be it ARM SVC or x86 syscall), you gain the power to reveal hidden malware logic that signature-based scanners often miss.

$1408

$1128 or $113 X 10 payments

Windows Security Researcher

Provides the necessary knowledge, understanding, and tools to be a successful Windows OS researcher.

Become Windows Security researcher

Final Thoughts: A Call to Continuous Mastery

Unpacking an ARM-based Mirai sample exemplifies the thrill and challenge of modern cybersecurity work. As IoT devices and Linux-based systems become more ubiquitous in enterprise networks, staying on top of evolving threats is essential. Take this as your motivation to keep refining your reverse engineering, malware analysis, and forensics capabilities. By continually honing these skills and persisting in the face of complexity, you not only protect organizations—you also become a leading figure in the future of cybersecurity.

Remember, every threat disarmed is a chance to reinforce your expertise. Whether you’re a seasoned professional or an aspiring researcher, let this exploration of Mirai fuel your determination. Strive to push boundaries, innovate new defense strategies, and carry forward a commitment to unwavering cybersecurity excellence.

Stay curious, stay vigilant, and keep pushing the limits of what’s possible. Together, we can outsmart adversaries and shape a safer digital world.