New ZHtrap Botnet Deploys Honeypots to Target Routers, DVRs, UPnP Devices

New ZHtrap Botnet Deploys Honeypots to Target Routers, DVRs, UPnP Devices

NetLab360 reports a new botnet that uses honeypot to harvest other infected devices. The botnet is hunting down infected routers, DVRs, and UPnP network devices and transforms them into honeypots that help it find other targets.

The malware, dubbed ZHtrap, is loosely based on the source code of Mirai, a malware that turns networked devices running Linux into remotely controlled bots. ZHtrap can work on x86, ARM, MIPS, and other CPU architectures.

To communicate with other botnet nodes, ZHtrap uses a Tor-based command-and-control (C2) server, and a Tor proxy to conceal malicious traffic.

Attackers use the botnet to deploy DDoS attacks and scan for more vulnerable devices to infect. Attackers can also use it to download and execute additional malicious payloads, as ZHtrap comes with backdoor functionality.

ZHtrap propagates to other devices by targeting four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, Netgear DGN1000,  MVPower DVR, and many CCTV-DVR devices.

ZHtrap architecture

Image: 360 Netlab

ZHtrap’s centralg feature is the ability to turn infected devices into honeypots to collect IP addresses in search of more targets. 

“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot,” 360 Netlab said.

It looks for devices with weak Telnet passwords from a list of randomly generated IP addresses. The addresses are collected with the help of the honeypot that ZHtrap deploys on previously compromised devices. It achieves this by listening to a list of 23 ports. It sends all IPs that connect to them to the scanning module as potential targets.

“Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected IPs are used as targets in its own scanning module,” 360 Netlab researchers explained.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.