A newly identified Internet of Things (IoT) botnet has been orchestrating large-scale Distributed Denial-of-Service (DDoS) attacks globally since late 2024, exploiting vulnerabilities in IoT devices such as routers, IP cameras, and other connected devices.
Security researchers warn that this botnet, leveraging malware derived from Mirai and Bashlite, poses a significant threat to industries and critical infrastructure worldwide.
The botnet infects IoT devices by exploiting Remote Code Execution (RCE) vulnerabilities or weak default credentials. The infection process involves multiple stages:-
- Initial Exploitation: The malware infiltrates devices through vulnerabilities or brute-forcing weak passwords.
- Payload Delivery: A loader script downloads the main malware payload from a distribution server. The payload executes directly in memory to avoid leaving traces on the infected device.
- Command-and-Control (C&C): Once infected, devices connect to C&C servers to receive attack commands.
The botnet employs various DDoS attack vectors, including:-
- SYN Floods: Overwhelming servers with TCP connection requests.
- UDP Floods: Saturating networks with UDP packets.
- GRE Protocol Exploits: Targeting routers using General Router Encapsulation.
- TCP Handshake Floods: Establishing numerous fake TCP connections to exhaust server resources.
Security experts at Trend Micro noted that the commands are structured as text messages prefixed with a two-byte length field, enabling precise control over attack parameters such as duration and target IP addresses.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Technical Analysis
This botnet has demonstrated a wide geographic reach, targeting sectors such as finance, transportation, and telecommunications. North America and Europe have been heavily affected, with the United States accounting for 17% of identified targets. Japan has also faced significant attacks, particularly against its financial and transportation industries.
.webp)
The majority of infected devices are wireless routers (80%), followed by IP cameras (15%).
Analysis reveals that brands like TP-Link and Zyxel are frequently compromised due to their widespread use and known vulnerabilities.
To avoid detection, the malware disables watchdog timers on infected devices, preventing automatic reboots during high loads caused by DDoS attacks.
It also manipulates Linux-based iptables rules to block external access while maintaining communication with C&C servers.
Experts recommend several measures to mitigate the risk of IoT botnet infections:-
- Change default passwords immediately after device installation.
- Regularly update firmware to patch known vulnerabilities.
- Isolate IoT devices on separate networks to limit exposure.
- Employ intrusion detection systems (IDS) to identify abnormal traffic patterns.
Organizations are urged to collaborate with service providers to filter malicious traffic and consider deploying CDNs for load distribution during DDoS attacks.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar