Mirai Malware Hacker Pleads Guilty in German CourtBritish 'Spiderman' May Also Be GovRAT Cyber Espionage Malware Author
A British man named by authorities as "Daniel K." pleaded guilty in German court on Friday to infecting 1.25 million German routers with Mirai malware and causing €2 million ($2.33 million) in damage.
The 29-year-old suspect was arrested on February 22 at a London-area airport by Britain's National Crime Agency at the request of the Federal Criminal Police Office of Germany, aka the Bundeskriminalamt or BKA (see British Cops Bust Suspected German ISP Mirai Botnet Hacker). One month later, he was transferred to Germany.
Appearing Friday at a court in Cologne, Daniel K. pleaded guilty to launching attacks designed to infect devices with Mirai malware for the purpose of selling distributed denial-of-service attacks - aka stresser/booter services - to others, German newspaper Augsburge Allgemeine reports.
"The aim of the attack wave was to take over the routers and integrate them into a botnet operated by the accused," the BKA said. "Access to the botnet was allegedly offered by the accused via the darknet for multiple attack scenarios, such as so-called DDoS attacks."
The suspect, who admitted to using the online names "Peter Parker" and "Spiderman," said he offered DDoS attacks on demand, according to news reports. For example, he reportedly claimed in court that a telecommunications provider in the West African country of Liberia had paid him $10,000 to wage a DDoS attack against one of its competitors.
At the time of his arrest, the BKA said the suspect faced between 6 months and 10 years in prison. He's due to be sentenced later this month.
The BKA says its investigation involved close cooperation between German, British and Cypriot law enforcement agencies, backed by the EU's law enforcement intelligence agency, Europol, as well as Eurojust, which is the EU agency devoted to judicial cooperation in criminal matters.
Mirai Botnets Launch DDoS Attacks
The Mirai malware used by Daniel K. is designed to target default and hard-coded credentials in dozens of types of IoT devices - ranging from surveillance cameras and baby monitors to routers and digital video recorders and routers - to inject commands. Once compromised, the devices can be used to launch DDoS attacks.
The emergence of Mirai last year led to recalls of some IoT devices and internet service providers blacklisting some types of devices. In the case of Singaporian ISP Starhub, the provider even dispatched technical support personnel to help identify and replace subscribers' affected devices, whether ISP-issued or not.
The source code for the malware was leaked, apparently by its developer, in September 2016. In short order, multiple criminal groups or actors began using the malware, security researchers say.
Deutsche Telekom Disrupted
Around Nov. 27, 2016, Deutsche Telekom reported that at least 900,000 of its customers had their routers disrupted, resulting in disruptions not just to internet connections, but also internet-connected telephony and television services.
Other internet service providers in Europe - including in Ireland and Poland - also reported that subscribers were affected by Mirai-related attacks.
But Deutsche Telekom devices don't appear to have been infected with Mirai - merely disrupted by infection attempts.
In the aftermath of the attack, Craig Young, a security researcher with the Vulnerability and Exposures Research Team at security firm Tripwire, reported in a blog post that the Deutsche Telekom attack didn't appear to have compromised the ISP's SpeedPort W921v routers. Instead, the routers appeared to have been "overwhelmed by the scanning activities" of external, Mirai-infected devices that began scanning the ISP's network, he said.
Young said he ran a networking tool - netcat - and listened on the port that was being targeted by this malware strain and was targeted with a related attack payload within 90 seconds. "The payload was clearly designed to exploit a command injection flaw," he said.
Young said his analysis of the payload file revealed "some potential indicators of compromise" in the form of domain names referenced by the malware, for example, to download additional exploits. Two of the domains - "securityupdates.us" and "ocalhost.host" - were registered to one "Peter Parker" based in Kiev, Ukraine, while a third domain, "timeserver.host," was registered to "spider man" at 27 Hofit Street in Tel Aviv, Israel.
Is 'Daniel K.' Also GovRAT Author?
Security researchers say that "Spiderman" or "Peter Parker" appears to be the hacker who is also known as "BestBuy," "Popopret" and "Spidr," among other handles.
While authorities have not named the man behind the Deutsche Telekom attacks in full, earlier this month, security blogger Brian Krebs published research suggesting that "BestBuy" was a British man named Daniel Kaye, and that he might also be the author of the remote-access Trojan and keylogger called GovRAT. That malware has been sold on darknet forums by a user or users with the handles BestBuy, Popopret and Spdr, apparently since 2014.
GovRAT has been used in multiple cyber-espionage campaigns, according to a report published last year by the security firm InfoArmor. The firm reported that the malware "has a fairly advanced network password sniffer and password dumper that is used for further data exfiltration and is spreading via available network resources and connected external devices, such as USB flash drives (worm feature)."
InfoArmor said that in mid-2016, the "primary actor" behind GovRAT began selling an updated version and using the handle "popopret."