Anti-Malware , DDoS , Technology

Mirai Malware Hacker Pleads Guilty in German Court

British 'Spiderman' May Also Be GovRAT Cyber Espionage Malware Author
Mirai Malware Hacker Pleads Guilty in German Court
"Daniel K." admitted disrupting 1.25 million Deutsche Telekom routers. (Photo: Herr Olsen, via Flickr/CC)

A British man named by authorities as "Daniel K." pleaded guilty in German court on Friday to infecting 1.25 million German routers with Mirai malware and causing €2 million ($2.33 million) in damage.

The 29-year-old suspect was arrested on February 22 at a London-area airport by Britain's National Crime Agency at the request of the Federal Criminal Police Office of Germany, aka the Bundeskriminalamt or BKA (see British Cops Bust Suspected German ISP Mirai Botnet Hacker). One month later, he was transferred to Germany.

Appearing Friday at a court in Cologne, Daniel K. pleaded guilty to launching attacks designed to infect devices with Mirai malware for the purpose of selling distributed denial-of-service attacks - aka stresser/booter services - to others, German newspaper Augsburge Allgemeine reports.

"The aim of the attack wave was to take over the routers and integrate them into a botnet operated by the accused," the BKA said. "Access to the botnet was allegedly offered by the accused via the darknet for multiple attack scenarios, such as so-called DDoS attacks."

The suspect, who admitted to using the online names "Peter Parker" and "Spiderman," said he offered DDoS attacks on demand, according to news reports. For example, he reportedly claimed in court that a telecommunications provider in the West African country of Liberia had paid him $10,000 to wage a DDoS attack against one of its competitors.

At the time of his arrest, the BKA said the suspect faced between 6 months and 10 years in prison. He's due to be sentenced later this month.

The BKA says its investigation involved close cooperation between German, British and Cypriot law enforcement agencies, backed by the EU's law enforcement intelligence agency, Europol, as well as Eurojust, which is the EU agency devoted to judicial cooperation in criminal matters.

Mirai Botnets Launch DDoS Attacks

The Mirai malware used by Daniel K. is designed to target default and hard-coded credentials in dozens of types of IoT devices - ranging from surveillance cameras and baby monitors to routers and digital video recorders and routers - to inject commands. Once compromised, the devices can be used to launch DDoS attacks.

The emergence of Mirai last year led to recalls of some IoT devices and internet service providers blacklisting some types of devices. In the case of Singaporian ISP Starhub, the provider even dispatched technical support personnel to help identify and replace subscribers' affected devices, whether ISP-issued or not.

The source code for the malware was leaked, apparently by its developer, in September 2016. In short order, multiple criminal groups or actors began using the malware, security researchers say.

The Mirai source code targets hardcoded and default access credentials for many different types of IoT devices and components.

Deutsche Telekom Disrupted

Around Nov. 27, 2016, Deutsche Telekom reported that at least 900,000 of its customers had their routers disrupted, resulting in disruptions not just to internet connections, but also internet-connected telephony and television services.

Other internet service providers in Europe - including in Ireland and Poland - also reported that subscribers were affected by Mirai-related attacks.

But Deutsche Telekom devices don't appear to have been infected with Mirai - merely disrupted by infection attempts.

In the aftermath of the attack, Craig Young, a security researcher with the Vulnerability and Exposures Research Team at security firm Tripwire, reported in a blog post that the Deutsche Telekom attack didn't appear to have compromised the ISP's SpeedPort W921v routers. Instead, the routers appeared to have been "overwhelmed by the scanning activities" of external, Mirai-infected devices that began scanning the ISP's network, he said.

Young said he ran a networking tool - netcat - and listened on the port that was being targeted by this malware strain and was targeted with a related attack payload within 90 seconds. "The payload was clearly designed to exploit a command injection flaw," he said.

Young said his analysis of the payload file revealed "some potential indicators of compromise" in the form of domain names referenced by the malware, for example, to download additional exploits. Two of the domains - "securityupdates.us" and "ocalhost.host" - were registered to one "Peter Parker" based in Kiev, Ukraine, while a third domain, "timeserver.host," was registered to "spider man" at 27 Hofit Street in Tel Aviv, Israel.

Is 'Daniel K.' Also GovRAT Author?

Security researchers say that "Spiderman" or "Peter Parker" appears to be the hacker who is also known as "BestBuy," "Popopret" and "Spidr," among other handles.

While authorities have not named the man behind the Deutsche Telekom attacks in full, earlier this month, security blogger Brian Krebs published research suggesting that "BestBuy" was a British man named Daniel Kaye, and that he might also be the author of the remote-access Trojan and keylogger called GovRAT. That malware has been sold on darknet forums by a user or users with the handles BestBuy, Popopret and Spdr, apparently since 2014.

On the closed - invite-only - darknet site called "Hell Forum," a user named "bestbuy" offered version 2 GovRAT for sale in mid-2016. (Source: InfoArmor)

GovRAT has been used in multiple cyber-espionage campaigns, according to a report published last year by the security firm InfoArmor. The firm reported that the malware "has a fairly advanced network password sniffer and password dumper that is used for further data exfiltration and is spreading via available network resources and connected external devices, such as USB flash drives (worm feature)."

Mid-2016 advertisement by "popopret" for the GovRAT source code, for about 3.6 bitcoins, then worth about $6,000. (Source: InfoArmor)

InfoArmor said that in mid-2016, the "primary actor" behind GovRAT began selling an updated version and using the handle "popopret."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network