A group of hackers is using the Hoaxcalls botnet in an ongoing infection campaign over the several months. This is a derivative threat based on the Gafgyt malware code and using several exploits targeting devices.
HoaxCalls Botnet Delivered Using Dangerous Exploits
An unknown group of hackers is actively using the Hoaxcalls botnet to infect other hosts and recruit them into it. No information is available about the criminals which are behind the malware operations. We determine that they are very experience as the campaign has been active for several months now.
The first samples associated with it have been detected in March 2020 when a domain for spreading it has been registered. The first version of the botnet infects through the exploitation of two vulnerabilities:
- DrayTek Vigor2960 Remote Code Execution Flaw — A security issue which allows the hackers to break into these devices.
- GrandStream Unified Communications Database Exploit — This bug is also tracked in the CVE-2020-5722 advisory that is described as an issue the way authentication is handled. It can be done by crafting HTTP packets. When the hackers have overtaken control of the devices they can execute local commands which can lead to the recruitment of the device to the botnet.
In April 2020 an updated version of the original threat has been discovered which upgrades the dashboard used to control the botnet. A new exploit has also been integrated in the infection arsenal which acts against ZyXEL Cloud CNM SecuManager. Since the original release March this year more and more vulnerabilities are being exploited to infect target computers with the malware code.
Hoaxcalls Botnet Infections: The Aftermath
One of the reasons why the Hoaxcalls is rated as dangerous is the number of exploits which are constantly being added by the hackers. The criminals themselves also appear as very experienced having the ability to infect thousands of hosts in a complex attack. The analysis conducted by the security experts notes that over the past several months the hackers have been able to infect many hosts leading to a large network of computers. They control the computers via a dashboard panel allowing them to harness the collective power for nefarious purposes.
The Hoaxcalls botnet can be used for sabotage purposes including organized large-scale distributed denial-of-service (DDoS) attacks. It is very possible that forthcoming campaigns will be organized with this dangerous weapon.