Malware authors use encryption to hide valuable content from analysts and automated detection tools. That’s why Nozomi Networks researchers are constantly monitoring malware samples collected by our Internet of Things (IoT) honeypots to detect new or modified malware samples.
During a recent analysis of collected samples, we discovered one Mirai-based variant using a new decryption function called xor_init. When malware authors introduce encryption to hide valuable content from analysts and automated tools, the exclusive OR (XOR) operation is the most used bitwise operation by malware creators. Because this new function does not re-encrypt potential indicators, it remains in clear-text even well after an attack. While this is considered a downgrade compared to normal stealthy malware this, in turn, makes it easier for network defenders and responders to trace an attack. ...read more!
