Infections with Mirai variant that featured Bitcoin mining module
Infections with Mirai variant that featured Bitcoin mining module (via IBM)

For around a week at the end of March, one of the many versions of the Mirai malware was spotted delivering a Bitcoin-mining module to its infected hosts, which typically are routers, DVRs, and IP cameras.

According to the IBM X-Force team, the Bitcoin mining module was seen only between March 20 and March 27, and the group behind that specific Mirai variant stopped distribution after that date.

The reason is pretty obvious to anyone who knows how Bitcoin works. Bitcoin mining is the process of performing CPU and GPU-intensive mathematical operations. When performed on the devices Mirai is usually designed to infect, these operations can take years to complete.

Bitcoin mining feature was never deployed

The presence of the Bitcoin mining module in this Mirai variant might have been only an experiment, one that failed miserably after the operator understood he's dealing with devices that have a processing power of gaming stations from the 80s.

After the Mirai author released the malware's source code to everyone at the end of October, tens of variants popped up online. The Bitcoin mining module was seen only in one variant, and researchers said it was never used to perform any mining operations.

The Mirai variant that featured the Bitcoin mining module was designed to infect 64-bit BusyBox-based IoT devices.

IBM researchers say they've tracked this Mirai version with Bitcoin mining capabilities to a web console hosted by a Chinese-speaking user.

Mirai botnets are more profitable when used for DDoS

Mirai botnets are usually used to launch DDoS attacks or as relay points to redirect malicious traffic for other crooks. Because of the vast amounts of IoT equipment available online that can be hijacked (via Telnet brute-force attacks), Mirai botnets can be quite profitable for their owners.

If you're looking for a summary of Mirai's history, McAfee released a report last week that includes a short history of Mirai.

Currently, there's also a Mirai variant that uses Windows workstations as intermediaries for infecting IoT devices.

Last week, researchers from Radware discovered a new IoT malware variant called BrickerBot, created to permanently brick IoT devices left unsecured online.