A new attack campaign utilizing updated instances of the Hide ‘N Seek IoT botnet are currently attacking users worldwide. The security analysis of the captured samples showcase that the updated code a wide range of databases servers support. This gives hacking groups a very formidable weapon that they can utilize in advanced attacks.
Hide ‘N Seek IoT Botnet Updated With New Capabilities
Newly captured strains of the Hide ‘N Seek IoT botnet have been found to contain an updated code base. The captured strains reveal that the new versions of the malware can target various database servers thus presenting an even bigger threat.
The first versions of Hide ‘N Seek were found in January in large-scale global campaigns that were able to infect thousands of devices in a swift manner. The conducted analysis shows that the hackers behind the infiltrations used numerous vulnerabilities to find a weakness and infect the target host. By the beginning of May 2018 the statistics indicate that the botnet has infected over 90 000 hosts. Other additions to it at that time included a new persistence module.
Such additions reconfigure the target system’s settings in order to automatically start the malware once the device is powered on. It reconfigures the boot settings in order to bypass any services or applications that can interfere with it’s correct execution. If Windows devices are the infected, the engine can modify the respective Registry entries by modifying the ones belonging to the boot manager, in addition it can install entries belonging to itself.
Hide ‘N Seek IoT Botnet Mechanism of Infection
The infections are done in a P2P manner which do not rely on a centralized location from where the attacks are being done. This makes it much more effective as the security administrators will have a much harder time filtering the malicious hosts.
The newer versions of the Hide ‘N Seek IoT botnet has been found to include newer exploits that target vulnerable Cisco Linksys routers and AVTECH webcams. The engine now has an additional 171 hardcoded P2P nodes and other feature additions such as a cryptocurrency miner. This installs a software instance that makes use of the available system resources in order to generate digital currency assets that are automatically generated to the hacker’s wallets.
The infection engine utilizes a port scanner that appears to be taken from the Mirai botnet. The analysis shows that it looks for open ports to common services (ports 80, 8080/2480, 5984 and 23) and other randomly-selected ones. A new addition is the ability to infect databases — both OrientDB and Apache CouchDB are supported.
There are three distinct ways the botnet can contact the other peers that form the network:
- Contacting the Built-in List of Peers.
- Specified Command-line Arguments.
- As Instructed by Other Peers.
When the instances are started with no arguments the Hide ‘N Seek IoT Botnet the local node will send out a series of UDP check-in packets in order to report the infection.
The reason why the Hide N’ Seek IoT botnet is feared as an effective hacking weapon is the motivation behind it. The criminals appear to target both businesses and government agencies by adding the new infection capabilities. The newest updates can also signal a widespread global campaign against end users that frequently employ webcams and IoT devices as part of their smart home equipment purchases.
If the botnet is used to cause sabotage to the infected hosts then this can be done through the use of the database manipulation engine. The criminals can use it to erase, manipulate or hijack stored information, as well as plant viruses into the victim hosts.
Other damage that can be inflicted includes Trojan horse behavior. In this case a secure connection to a hacker-controlled server or P2P node is established. Through it the criminals can spy on the victims in real-time, as well as take over control of the devices and deploy additional threats.
The dangerous characteristic of botnet infections is that in many cases the victim users may not experience any symptoms.