Security analysts uncovered a new worldwide malware threat — the Hide ‘N Seek IoT botnet which uses a custom-built P2P communication module to spread itself. The infections are rapidly increasing and it appears that separate attacks are being launched against set targets.
The Hide ’n Seek IoT Botnet Is a Formidable Weapon
Computer security researches discovered а dangerous new IoT Botnet called Hide ‘N Seek that is being utilized by various hacker groups against targets worldwide. The first attacks took place on January 10. The initial launch is suspected to have been a test one as the campaign stopped for a few days afterwards before resuming once again. The analysts detected that the main malware code was altered to include improved functionality. Such tactics indicate that it is possible that one of these two scenarios had taken place:
- Market-Bought Attack Tool — It is possible that the botnet has been acquired through the underground hacker markets. The different attacks may be performed by various hacking groups that are using their own custom configuration against the intended targets.
- Custom Code — The other possibility proposes that the criminals have created the theat by themselves. The various attack campaigns represent newer versions of the The Hide ’n Seek IoT botnet.
Capabilities Of The Hide ‘N Seek IoT Botnet
The analysis shows that the botnet infects target IoT devices with weak security using a very complex infiltration module. It features multiple stealth protection techniques which prevents security applications and services from discovering the malware infections. The attacking engine takes advantage of several web exploits and vulnerabilities that aim to infect as many IoT and networking equipment as possible. The analysts note that among them is the CVE-2016-10401 advisory which reads the following:
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices).
The attacks follow a traditional sequence — the IoT botnet attempts to login to the network devices by using a list of default credentials. If this is not successful then a dictionary attack is initiated. In certain cases a brute force method may also be employed. The experts uncovered that the exploit is capable of launching multiple type of attacks on the compromised devices. The list includes information gathering that can be customized by the criminal operators. They might choose to extract both system data and personally-identifiable information. The first category is primarily used to judge how effective the campaign is as well as give the hackers a thorough look of the type of network they have compromised. The second type is extremely dangerous as it can directly expose the users identity by looking out for strings related to names, telephone numbers, addresses, interests, passwords and account credentials.
The Hide ‘N Seek IoT botnet has been found to create a complete profile of the infected machine. A complex algorithm is used to judge which is the best way to infiltrate the device and cause as much damage as possible. The security researchers note that if the victim device is placed on the same local area network (LAN) as the botnet infection the malware engine sets up a file server that allows the botnet to deliver the infection to other hosts. In a similar way if the hackers want to compromise over the Internet the botnet engine will download a specific remote payload to match the discovered vulnerability. Using it the engine is able to remotely infect the targets. The analysts note that the techniques are recorded in a list that is digitally signed to prevent tampering by everyone except the hacker operators. Updated versions of the list can be distributed along with the malware samples as they spread further.
Consequences of the Hide ‘N Seek IoT Botnet
Once the botnet has compromised the devices it is able to establish a persistent state of execution. This means that it is able to alter important configuration variables and prevent manual user removal attempts. In some cases the malware can only be performed by performing a factory reset along with a hard reset. The fact that the device uses P2P communication between the different hosts makes it a very useful tool when spreading it further. Such samples are very efficient at controlling large networks and executing DDOS attacks against high-profile targets.
Hide ‘N Seek is the second malware to utilize a modular P2P communications platform after the Hajime botnet. However in comparison with Hajime it uses a custom implementation instead of relying on the BitTorrent protocol.
At the moment the Botnet remains silent. The experts presume that a newer attack is being planned in the next version. It is very likely that it will be released very soon in a bigger attack campaign. This is one of the reasons why computer uses are advised to protect their computers by employing a quality ant-spyware solution. They can also scan their machines for any outstanding infections by using a free scan.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: