Anti-Malware Research

Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining

Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining

The Mirai botnet that made headlines in 2016 for taking out infrastructure through large-scale network attacks has become a reference point in the security industry for the damage that large IoT botnets can inflict. Since its source code was published and made available to anyone interested in building their own botnet, many Mirai variants have shown up, each packing unique features. While most are used for disruptive purposes, others seem to use the collective power of compromised devices to mine for cryptocurrency. 

Bitdefender researchers tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features.

Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

LiquorBot appears to use the same command and control server as a Mirai-related variant, and they have even featured together in dropper scripts, meaning attackers used both LiquorBot and the Mirai variant in various campaigns.

The LiquorBot IoT botnet was identified using Bitdefender’s deceptive technologies, when the first LiquorBot samples infected our honeypots in May 2019. Since then, Bitdefender security researchers tracked the development of the main package, as well as all its other versions associated with feature updates and upgrades.

Key Findings

  • Re-implementation of Mirai written in Go
  • Cross-compiled to several architectures (ARM, ARM64, x86, x64, MIPS)
  • Incorporates cryptocurrency-mining features
  • Propagation through SSH brute-forcing and exploitation of unpatched vulnerabilities in select router models


The following table (Fig. 1) follows the evolution of the botnet, listing SHA-1 hashes, the development path of the main package and the date they were first seen by our honeypots telemetry. Though each version has samples associated to multiple CPU architectures, for simplicity, we have included only hashes for ARM64.

Fig. 1 – Timeline of LiquorBot sample

While some of the samples analyzed include versioning strings, they do not seem to accurately reflect the evolution of the botnet. For instance, the Oct 1st sample is labeled “0.2” and it’s the one actually introducing the cryptocurrency mining feature. This feature is not present in the July 24th sample, labeled “0.6”, which features additional propagation methods.

Dropper Script

LiquorBot is cross-compiled to several architectures, targeting a wide range of CPU architectures ranging from ARM and ARM64 to x86, x64 and MIPS. During the infection process, the dropper script downloads all the bot payloads, without having any filtration logic based on the found CPU architecture.

The dropper script itself is relatively short and involves fetching the binaries from an attacker-controlled server. Another interesting feature of the script is the use of “#!/bin/sh”, which is more reliable than “#!/bin/bash” when pointing to the preferred POSIX-compatible system shell in any installation. In addition, because the script does not appear to load any specific features supported by “bash”, the “sh” variant chosen by the malware developers is considered the default shell that system scripts should use.

Fig. 2 – Dropper code

The miner configuration script used by threat actors seems to set different hashrates for the CPU mining algorithm (Fig. 3)

Fig. 3 – Miner configuration code


Like Mirai, LiquorBot obfuscates its strings and stores them into a map. Each time an entry dis accessed, the string is decrypted by adding the vadlue 0x51 to each character. The figure below lists the decrypted strings for LiquorBot.

Fig. 4 – LiquorBot strings map

Another feature borrowed from Mirai ensures that a single bot runs on a machine by attempting to bind to a port. The host and port used as arguments to “net.Listen” are from the configuration map (entry number 9). Other versions of the bot have the port set to 42007.

Fig. 5 – Infection command

Upon execution, the bot relaunches itself, while attempting to disguise the new process as the sshd daemon.

The bot updates the DNS resolver by writing to /etc/resolv.conf the following:

 Fig. 6 – DNS Namesevers

The bot’s lifecycle contains a cleanup phase, in which it deletes any dropped files (/tmp/.lmr,/tmp/.ldrop, /tmp/config.json) and erases bash history.

The bot communicates with multiple servers:

  • CnC; the bot reports vulnerable devices to this server and receives commands from it
  • mining server
  • server hosting the binaries

Throughout its evolution, the domains used for these purposes have been changed and interchanged from the following:


LiquorBot periodically pings its C&C though a HTTP GET targeting this resource:

Fig. 7 – LiquorBot C&C resource

 The query parameters represent fingerprinting data for the device and bot: OS, bot version, CPU architecture, number of CPUs, etc.

The C&C can respond with one of the following commands:

  • download
  • rget
  • exec 
  • shutdown

The first command downloads a resource from a provided URL into /tmp/.ldrop. The second command does the same, but also executes the file using “sh -c”.

The miner goroutine downloads the miner into /tmp/.lmr, formats the config and writes it to /tmp/config.json, then runs the miner with the config. The config is the JSON found in the configuration map formatted to fill out the server with the address of the mining server (entry 2 for host and entry 3 for port) and the username (randomly generated string formed of 17 uppercase letters).


Among the analyzed LiquorBot samples, we have seen various methods of propagation. Most versions use SSH brute-forcing as the sole propagation method.

The samples from July 24th include SSH brute-forcing, by using a hardcoded list of 82 username/password combinations, while also using exploits for various models of vulnerable routers.

In terms of exploited vulnerabilities, LiquorBot exploits some critical CVEs (CVE-2015-2051, CVE-2016-1555, CVE-2016-6277) as well as a series of command injection and remote command execution vulnerabilities found in various router models (CVE-2018-17173, CVE-2017-6884, CVE-2018-10562, CVE-2017-6077, CVE-2017-6334, CVE-2016-5679, CVE-2018-9285, CVE-2013-3568, CVE-2019-12780).




Related domains:

Note: The information in this article was made available courtesy to Bitdefender research team.

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

About the author

Bitdefender Team

The meaning of Bitdefender’s mascot, the Dacian Draco, an ancient symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.” Like our mascot, we are committed to using Bitdefender Labs, our world-class research team, to vigilantly find and eradicate threats for our customers, and to use our platform for the larger good.

Add Comment

Click here to post a comment