NetLab360 reports a new botnet that uses honeypot to harvest other infected devices. The botnet is hunting down infected routers, DVRs, and UPnP network devices and transforms them into honeypots that help it find other targets.
The malware, dubbed ZHtrap, is loosely based on the source code of Mirai, a malware that turns networked devices running Linux into remotely controlled bots. ZHtrap can work on x86, ARM, MIPS, and other CPU architectures.
To communicate with other botnet nodes, ZHtrap uses a Tor-based command-and-control (C2) server, and a Tor proxy to conceal malicious traffic.
Attackers use the botnet to deploy DDoS attacks and scan for more vulnerable devices to infect. Attackers can also use it to download and execute additional malicious payloads, as ZHtrap comes with backdoor functionality.
ZHtrap propagates to other devices by targeting four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, Netgear DGN1000, MVPower DVR, and many CCTV-DVR devices.
Image: 360 Netlab
ZHtrap’s centralg feature is the ability to turn infected devices into honeypots to collect IP addresses in search of more targets.
“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot,” 360 Netlab said.
It looks for devices with weak Telnet passwords from a list of randomly generated IP addresses. The addresses are collected with the help of the honeypot that ZHtrap deploys on previously compromised devices. It achieves this by listening to a list of 23 ports. It sends all IPs that connect to them to the scanning module as potential targets.
“Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected IPs are used as targets in its own scanning module,” 360 Netlab researchers explained.