Evasive Malware Exploits Vulnerabilities in IoT Devices via DDoS Botnets
Trellix Unveils Inner Workings of Evasive Masjesu Botnet
The cybersecurity firm Trellix has conducted an in-depth analysis of the Evasive Masjesu botnet, which has been wreaking havoc on IoT devices since at least 2023.
Botnet Targets IoT Devices for DDoS Attacks
- The botnet has been operational since 2023, with its operator promoting its capabilities on Telegram channels targeting both Chinese and English-speaking users.
- The operator’s Telegram channel boasts over 400 subscribers.
- An examination of attack source countries reveals that the majority of affected devices are located in Vietnam, with additional compromises in Brazil, India, Iran, Kenya, and Ukraine.
- This widespread distribution indicates a complex attack vector involving multiple Autonomous System Numbers (ASNs).
Masjesu’s Architectural Versatility
Masjesu can target various architectures, including:
- i386
- MIPS
- ARM
- SPARC
- PPC
- 68K (Motorola 68000)
- AMD64
The botnet spreads through vulnerabilities in:
- D-Link routers
- GPON routers
- Huawei home gateways
- MVPower DVRs
- Netgear routers
- UPnP services
- Other IoT devices
According to Trellix, “Upon infection, the malware establishes a persistent connection to its command-and-control (C&C) domain, using a hardcoded TCP port for remote access.”
Persistance Mechanisms
To ensure persistence, the malware:
- Creates a cron job to run a renamed executable every 15 minutes
- Converts the process into a background daemon
- Renames it to resemble a legitimate system component
- Terminates commonly used processes, such as wget and curl
- Restricts access to shared temporary folders
C&C Domains and Fallback IP Addresses
Masjesu employs multiple C&C domains and fallback IP addresses, along with a 60-second receive timeout on socket connections.
Upon receiving instructions from the C&C server, the botnet launches various types of DDoS attacks, including:
- UDP
- TCP
- VSE
- GRE
- RDP
- OSPF
- ICMP
- IGMP
- TCP SYN
- TCP ACK
- TCP ACKPSH
- HTTP floods
These attacks pose a significant threat to organizations reliant on online infrastructure, underscoring the importance of robust network security measures and regular updates to mitigate potential vulnerabilities.
About Author
English