VERY IMPORTANT

On March 26, 2020, 360 captured a suspicious sample11c1be44041a8e8ba05be9df336f9231. Although the samples have the word mirai in their names and most antivirus engines identified it as Mirai, its network traffic is totally new,which had got our attention. The sample borrowed some of Mirai’s Reporter and Loader mechanism, but the encryption method and Bot program, as well as C2 communication protocol had been totally redesigned. For regular Mirai and their variations, normally the changes are fairly minor, changing C2s or encryption keys, or integrate some new vulnerabilities, nothing dramatic.