{"id":783,"date":"2024-09-09T07:28:00","date_gmt":"2024-09-09T07:28:00","guid":{"rendered":"https:\/\/reversea.me\/?p=783"},"modified":"2026-04-11T05:54:38","modified_gmt":"2026-04-11T05:54:38","slug":"exploring-shifting-patterns-in-recent-iot-malware","status":"publish","type":"post","link":"https:\/\/reversea.me\/index.php\/exploring-shifting-patterns-in-recent-iot-malware\/","title":{"rendered":"Exploring Shifting Patterns in Recent IoT Malware"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 5<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p><strong>TL;DR<\/strong>: The rise of malware targeting interconnected IoT infrastructures has surged in recent years, driven by vulnerable legacy devices and inadequately protected networks. Our most recent work in this area provides a contemporary analysis of Linux-based malware for IoT systems, focusing on the years 2021-2023. Using automated static and dynamic analysis, we classify and track the evolution of malware threats. We observed increased sophistication, new malware exploits, and adaptations of traditional malware from Windows to Linux-based IoT environments. This post summarizes our recently presented paper at ECCWS 2024, <a href=\"https:\/\/papers.academic-conferences.org\/index.php\/eccws\/article\/view\/2280\">&#8220;Exploring Shifting Patterns in Recent IoT Malware&#8221;<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Malware targeting Linux-based IoT systems has become a growing concern due to the vast expansion of IoT devices worldwide, which is expected to reach 100 billion by 2025. The success and innovation driving IoT technology are marred by the serious risks posed by insecure devices and networks. Attackers exploit inherent vulnerabilities (such as default credentials and outdated software) of IoT devices, forming massive botnets to launch devastating attacks.<\/p>\n\n\n\n<p>Despite the well-known prevalence of botnets like Mirai, there remains a significant gap in understanding how IoT malware has recently evolved. <a href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/CSCR-ECCWS-24.pdf\" data-type=\"link\" data-id=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/CSCR-ECCWS-24.pdf\">In our paper<\/a>, we analyze the most recent dataset of Linux-based IoT malware to provide insights into emerging trends and evolving threats. Our automated system combines static and dynamic analysis, allowing us to correlate behavior across large numbers of samples and classify malware into related families. We found that beyond the well-known Mirai and Gafgyt families, the landscape is becoming increasingly complex, with malware authors adopting new strategies and exploits.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Contributions<\/h2>\n\n\n\n<p>Below, we highlight the key contributions of our work:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Automated Analysis Framework<\/em>: We developed a system that combines static and dynamic analysis to examine the latest Linux-based malware samples seen in the wild between 2021 and 2023. This allows us to establish connections between unknown samples and recognized threats.<\/li>\n\n\n\n<li><em>Characterization of IoT Malware Evolution<\/em>: Using this system, we validated recent and previously unidentified IoT malware samples, characterizing their behaviors and providing a detailed analysis of emerging trends.<\/li>\n\n\n\n<li><em>Impact of Architecture on Malware Spread<\/em>: Our analysis highlights how architecture affects malware propagation, emphasizing that even well-known malware families such as Mirai are now adapted for new architectures, increasing the challenge for cybersecurity efforts.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Insights<\/h2>\n\n\n\n<p>Our findings indicate that IoT malware is becoming more sophisticated. Malware authors are incorporating tools initially designed for Advanced Persistent Threats  targeting traditional computing systems into their IoT malware arsenal. In addition, we found a rapid proliferation of new malware variants, often developed with minimal investment in infrastructure. Furthermore, traditional Windows-based malware families are now targeting Linux-based devices, blurring the lines between desktop and IoT malware ecosystems.<\/p>\n\n\n\n<p>We analyzed malware samples using both static and dynamic methods. In particular, during static analysis, we extracted metadata from malware binaries, including details such as architecture, endianness, linking type (static or dynamic), and other characteristics such as cyclomatic complexity and entropy. We employed tools such as <a href=\"https:\/\/github.com\/horsicq\/Detect-It-Easy\">Detect It Easy (DIE)<\/a> to identify whether a binary was packed and determine the type of packer used. Notably, 16.95% of the malware samples we analyzed were obfuscated, with many using UPX. We attempted to unpack them and found that over a third used custom packers that thwarted automatic unpacking. We also generated YARA rules to detect specific exploits embedded in the malware.<\/p>\n\n\n\n<p>For dynamic analysis, we performed behavioral analysis by running each malware sample in virtualized environments built with <code>Buildroot<\/code> for nine different architectures, including ARM, MIPS, Intel 80386, and others. We used QEMU to emulate different architectures and <code>strace<\/code> to monitor system calls made during execution. Through this analysis, we observed how the malware samples interacted with the system, including creating processes, executing commands, and accessing the file system. Around 66% of the samples we analyzed created multiple processes, with some creating over 16,000 processes. We also found significant use of evasion techniques, such as impersonating legitimate processes like &#8220;<code>sshd<\/code>&#8221; and detecting virtualized environments.<\/p>\n\n\n\n<p>Our phylogenetic analysis of malware samples focused on grouping similar behaviors observed during dynamic analysis. We used the Jaccard index to measure the similarity of execution traces and created similarity graphs for different architectures. For example, we found multiple clusters for the Mirai and Gafgyt families, indicating evolutionary traits and the development of new variants. We also identified new families such as Aenjaris and Spectre, which boast advanced features such as ransomware capabilities and IoT-specific targeting. Figures 1 and 2 show the similarity graphs for the different malware families, according to the underlying arquitecture.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38-1024x537.png\" alt=\"\" class=\"wp-image-787\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38-1024x537.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38-300x157.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38-768x403.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38-1536x805.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38-1440x755.png 1440w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.38.png 1946w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 1: Graph similarity of malware families for a) MIPS\/MIPSel and b) ARM 32 bits.<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"575\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-1024x575.png\" alt=\"\" class=\"wp-image-789\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-1024x575.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-300x168.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-768x431.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-1536x863.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-2048x1150.png 2048w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.57.54-1-1440x809.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 2: Graph similarity of malware families for a) Intel 80386 [<em>yes, there is a typo that no one found. Neither the authors nor the reviewers. Damn.<\/em>] and b) x86-64.<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Exploits on the network<\/h2>\n\n\n\n<p>Our analysis revealed the use of 89 distinct exploits in the malware samples. We used YARA rules to identify exploits embedded in malware binaries and found that approximately 28.5% of the samples contained actionable exploits. These exploits primarily targeted HTTP-based protocol interfaces, with a specific focus on IoT device vulnerabilities. Interestingly, we observed that malware families such as Mirai and Gafgyt reused known exploits, while other families adopted new vulnerabilities, demonstrating a mix of traditional and evolving attack strategies. Exploit reuse across samples was visualized using graphical representations, with nodes representing malware samples and their respective exploits (see Figure 3).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"749\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.54.09-1.png\" alt=\"\" class=\"wp-image-786\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.54.09-1.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-17.54.09-1-300x293.png 300w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\">Figure 3: Exploits.<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusions<\/h2>\n\n\n\n<p>Our analysis provides a snapshot of the current state of IoT malware and highlights the ongoing evolution of threats. The sophistication and rapid proliferation of new malware variants present significant challenges to defending IoT environments. The community must adapt, with an increased focus on understanding evolving malware families and strengthening defenses, particularly against well-established exploits still present on the network.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Funding Acknowledgment<\/strong>s<\/h2>\n\n\n\n<p>This research was supported in part by grant PID2023-151467OA-I00 (CRAPER), funded by MICIU\/AEI\/10.13039\/501100011033 and by ERDF\/EU, by grant TED2021-131115A-I00 (MIMFA), funded by MICIU\/AEI\/10.13039\/501100011033 and by the European Union NextGenerationEU\/PRTR, and the University of Zaragoza, by grant <em>Proyecto Estrat\u00e9gico Ciberseguridad EINA UNIZAR<\/em>, funded by the Spanish National Cybersecurity Institute (INCIBE) and the European Union NextGenerationEU\/PRTR, and by grant <em>Programa de Proyectos Estrat\u00e9gicos de Grupos de Investigaci\u00f3n<\/em> (refs. T21-23R), funded by the University, Industry and Innovation Department of the Aragonese Government.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"89\" src=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1024x89.png\" alt=\"\" class=\"wp-image-844\" srcset=\"https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1024x89.png 1024w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-300x26.png 300w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-768x67.png 768w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1536x134.png 1536w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-2048x179.png 2048w, https:\/\/reversea.me\/wp-content\/uploads\/2025\/06\/BandaINCIBEcolor-1-1440x126.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><em>And that&#8217;s all, folks! If you want to dig deeper into our findings, feel free to check out our paper &#8220;Exploring Changing Patterns in Recent IoT Malware,&#8221; presented at <a href=\"https:\/\/www.academic-conferences.org\/conferences\/eccws\/eccws-future-and-past\/\">ECCWS 2024<\/a> this past June. Thanks for reading!<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">Declaration of Generative AI Technologies in the Writing Process<\/h4>\n\n\n\n<p>During the preparation of this post, the author used ChatGPT (GPT4-o model) to improve readability and language. After using this tool, the author reviewed and edited the content as necessary and takes full responsibility for the content of this publication.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 5<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>TL;DR: The rise of malware targeting interconnected IoT infrastructures has surged in recent years, driven by vulnerable legacy devices and inadequately protected networks. Our most recent work in this area provides a contemporary analysis of Linux-based malware for IoT systems, focusing on the years 2021-2023. Using automated static and dynamic analysis, we classify and track [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-783","post","type-post","status-publish","format-standard","hentry","category-uncategorized","no-featured-image"],"_links":{"self":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/comments?post=783"}],"version-history":[{"count":8,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/783\/revisions"}],"predecessor-version":[{"id":930,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/posts\/783\/revisions\/930"}],"wp:attachment":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/media?parent=783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/categories?post=783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/tags?post=783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}