September 22, 2023

Researchers have found a new malicious activity targeting IoT devices, using a variant of Mirai bots, called IZ1H9 that can be used in large-scale network attacks.

It was  discovered in August 2018 and has since become one of the most active Mirai variants. The latest campaign was observed in the month of April 2023, it initially spreads through HTTP, SSH and Telnet protocols.

Once installed on an IoT device, the IZ1H9 botnet client first checks the network portion of the infected device’s IP address – just like the original Mirai. The client avoids execution for a list of IP blocks, including government networks, internet providers and large tech companies.

It then makes its presence visible by printing the word ‘darknet’ to the console. The malware also contains a function that ensures the device is running only one instance of this malware. If a botnet process already exists, the botnet client will terminate the current process and start a new one.


The botnet client also contains a list of process names belonging to other Mirai variants and other botnet malware families. The malware checks the running process names on the infected host to terminate them.

The IZ1H9 variant tries to connect to a hard-coded C2 address: 193.47.61[.]75. Once connected, IZ1H9 will initialize an encrypted string table and retrieve the encrypted strings through an index.

It uses a table key during the string decryption process: 0xBAADF00D. For each encrypted character, the malware performs XOR decryption with the following bytewise operations: cipher_char ^ 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = plain_char.

According to the logic behind the XOR operation, the configuration string key equals to 0xBA ^ 0xAD ^ 0xF0 ^ 0x0D = 0xEA.


The vulnerabilities used by this threat are less complex, but this does not decrease their impact since they could still lead to remote code execution. Once the attacker gains control of a vulnerable device, they can include the newly compromised devices in their botnet. This allows them to conduct further DDoS attacks.

It is highly recommended that patches and updates are applied when possible.

This research was documented by researchers from Palo Alto Unit 42

Indicators of Compromise

  • 692a5d099e37cd94923ea2b2014d79e6e613fb061a985069736dd3d55d4330c4
  • e0b1c324298eeccd54ffc2ff48288ec51fbec44f5f82229537508785a9bda6de
  • 931800d4f84bda7c0368c915dfd27721d63ed0ce6a9bc9f13e1417d4c2fe88f3
  • 64a350a33757f6631dc375632de191967ae59c876b4718a087e299bd54f23844
  • 23190d722ba3fe97d859bd9b086ff33a14ae9aecfc8a2c3427623f93de3d3b14
  • 00b151ff78a492b5eae0c8d3c769857f171f8424cf36c3b2505f7d7889109599
  • 212b1af9fd1142d86b61956ac1198623f9017153153cfc20bfeab6a9fd44004a
  • 38406b2effd9fc37ce41ee914fda798de9c9b0e239a0cc94b1464dc2a9984fe9
  • 21185d9b7344edcd8d9c4af174e468c38cb3b061e6bd6bd64a4be9bd3fa27ff5
  • 65a46cd29dad935d067a4289445d2efb2710d44d789bf1bf0efb29f94d20e531
  • 06ef6c76e481d25aa09b3b15959d702be29c22d63bd35524766397e3d36d0d2e
  • 7bfb02c563ae266e81ba94a745ea7017f12010d5491708d748296332f26f04f5
  • 1e29f364f502b313f01f28f1ae85bf27114fae5eede6550809fe5bca58f59174
  • 193.47.61[.]75
  • 195.133.40[.]141
  • dotheneedfull[.]club
  • 163.123.143[.]126
  • 2.56.59[.]215
  • 212.192.241[.]72
  • 212.192.241[.]87
  • 31.210.20[.]100

Leave a Reply

%d bloggers like this: