New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild

[LASER_oneXM]

Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.

The bot was first spotted on Jan. 10 then faded away in the following days, only to re-emerge on Jan. 20 in a significantly improved form.

Update 26/01/2018 – 14.06 GMT+3

The botnet now controls 32,312 IoT devices. Also, the botnet seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads:

0c90ea12275cadd96a67f8ee07e2fa04af91e51e: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
19f54473a721105982281b7b87503e3d60585042: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
2b36305f7dcb63b4f55bffab0f0dbbaaabf83b28: ELF 32-bit MSB executable, Motorola 68020 – invalid byte order, version 1 (SYSV), statically linked, stripped
4dcca2094b55b6576c1b27597e4b10db9b6bfa53: ELF 32-bit MSB executable, SPARC version 1 (SYSV), statically linked, stripped
...
.....
.........

Update 01/24/2018 – 20.00 GMT+3

The botnet now counts more than 20,000 IoT devices geographically distributed as per the graphic below.

Update 01/24/2018 – 17.30 GMT+3

18,000 compromised devices and counting.

Update 01/24/2018 – 14.00 GMT+3

The botnet now counts more than 14K devices geographically distributed as per the heatmap below. What initially started as a 12-device network has become a phenomenon that spreads from Asia to the United States.