Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
New ZHtrap botnet malware deploys honeypots to find more targets
#1
Quote:A new botnet is hunting down and transforming infected routers, DVRs, and UPnP network devices into honeypots that help it find other targets to infect.
 
The malware, dubbed ZHtrap by the 360 Netlab security researchers who spotted it, is loosely based on [color=var(--theme-link_a)]Mirai's source code, and it comes with support for x86, ARM, MIPS, and other CPU architectures.[/color]
Takes over infected devices
Once it takes over a device, it prevents other malware from re-infecting its bots with the help of a whitelist that only allows already running system processes, blocking all attempts to run new commands.
 
ZHtrap bots use a Tor command-and-control (C2) server to communicate with other botnet nodes and a Tor proxy to conceal malicious traffic.
 
The botnet's main capabilities include DDoS attacks and scanning for more vulnerable devices to infect. However, it also comes with backdoor functionality allowing the operators to download and execute additional malicious payloads.
 
To propagate, ZHtrap uses exploits targeting four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and a long list of CCTV-DVR devices.
 
It also scans for devices with weak Telnet passwords from a list of randomly generated IP addresses and collected with the help of the honeypot it deploys on devices already ensnared in the botnet.
 
[color=var(--theme-link_a)]null[/color]
 
Bots used as honeypots
ZHtrap's most interesting feature is how it turns infected devices into honeypots to collect IP addresses of more targets likely vulnerable to its propagation methods or already infected by other malware.
 
Once deployed, ZHtrap's honeypot starts listening to a list of 23 ports, and it sends all IPs connecting to them to its scanning module as potential targets in its attacks.
 
"Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot," 360 Netlab [color=var(--theme-link_a)]said.[/color]
 
"Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. 
 
"But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected IPs are used as targets in its own scanning module."
 
360 Netlab researchers have also recently spotted an [color=var(--theme-link_a)]upgraded version of the z0Miner cryptomining botnet, which now attempts to infect vulnerable Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.[/color]
 


Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  (Bitdefender ) 2024 Cybersecurity Forecast: Ransomware's New Tactics and Targets mrtrout 0 840 01-05-2024 , 08:49 PM
Last Post: mrtrout
  What is a Botnet? Bitdefender mrtrout 0 433 06-22-2023 , 10:13 PM
Last Post: mrtrout
  Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices mrtrout 0 386 06-22-2023 , 10:05 PM
Last Post: mrtrout
  Mozi IoT Botnet Now Also Targets Netgear, Huawei, and ZTE Network Gateways mrtrout 0 823 08-21-2021 , 10:35 PM
Last Post: mrtrout
  Destroying a botnet Panda Security mrtrout 0 754 05-25-2021 , 06:53 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)