A new emerging botnet has been spotted by security researchers that uses custom-built peer-to-peer communication to exploit victims, ensnare new IoT devices and continue building its infrastructure. Dubbed Hide N' Seek or HNS, the bot was first spotted by researchers at Bitdefender Labs on 10 January before it disappeared for a few days. However, it returned 10 days later on 20 January in a new and significantly improved form, researchers said.
"The HNS botnet communicates in a complex and decentralised manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it," Bitdefender researchers wrote in a blog post published on Wednesday (24 January). "The bot can perform web exploitation against a series of devices via the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities against networking equipment)."
HNS can also carry out multiple commands including data exfiltration, code execution and interference with a device's operation. Featuring a worm-like mechanism that can randomly generate a list of IP addresses to get potential targets, the bot initiates a raw socket SYN connection to every device listed and tries to establish a connection.
Once successful, the bot looks for the "buildroot login" banner presented by the device and tries to login using a set of predefined credentials. If it can't, it attempts to brute force its way through using a dictionary attack that uses a hardcoded list to crack the device's passcode. After it establishes a new session with the infected device, the bot attempts to identify the target device and figure out how best to compromise it.
"For example, if the victim has the same LAN as the bot, the bot sets up TFTP server to allow the victim to download the sample from the bot," researchers explain. "If the victim is located on the internet, the bot will attempt a specific remote payload delivery method to get the victim to download and run the malware sample. These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts."
Once a device is infected, hackers behind the botnet can use commands to control it. Since it re-emerged on 20 January, the botnet has swelled from an initial 12 compromised devices to more than 20,000 at the time of writing. However, they noted that like most IoT botnets, this one cannot establish persistence on infected devices. With a simple device reboot, the malware can be automatically removed from the compromised device.
Researchers observed that the devices targeted involved IP cameras manufactured by an unspecified Korean company. They also noted that HNS isn't the first IoT botnet to use peer-to-peer communication to spread to other targets. "It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture," Bitdefender wrote. However, if in the case of Hajime, the p2p functionality was based on the BitTorrent protocol, here we have a custom-built p2p communication mechanism."
Interestingly, researchers noted that their analysis of the Hide 'N Seek bot revealed it can be leveraged for far more nefarious activities than launching DDoS attacks. "While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion," they wrote. "It is also worth noting that the botnet is undergoing constant redesign and rapid expansion."