Hoaxcalls Botnet expands the target list and adds new DDoS capabilities

Pierluigi Paganini April 24, 2020

The Hoaxcalls IoT botnet expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities.

DDoS protection services provider Radware warns the Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices, the experts also noticed that the operators implemented new distributed denial of service (DDoS) capabilities.

The Hoaxcalls was first spotted in April by researchers from Palo Alto Networks, it borrows the code from Tsunami and Gafgyt botnets and it is targeting CVE-2020-5722 and CVE-2020-8515 flaws respectively affecting Grandstream UCM6200 series devices and Draytek Vigor routers.

Both vulnerabilities have been rated as critical severity (i.e CVSS v3.1 score of 9.8 out of 10) because they are easy to exploit.

The botnet was initially designed to launch DDoS attacks using UDP, DNS and HEX floods.

Now security researchers from Radware reported having discovered a new version of the Hoaxcalls botnet that is targeting an unpatched issue in the ZyXEL Cloud CNM SecuManager. Experts also noticed that the new variant implements 16 new DDoS capabilities.

“On April 20th, 2020, Radware Researchers discovered a new variant of the Hoaxcalls Botnet spreading via an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager.” reads the report published by Radware. “The series of vulnerabilities impacting ZyXEL were published in full disclosure by Pierre Kim on March 9th, 2020. In addition to a new vector of propagation, the Hoaxcall Botnet also added 16 DDoS attack vectors in the new sample.”

The campaigns observed by Radware employed a number of variants
using different combinations of propagation exploits and DDoS attack vectors. Experts speculate that the threat actor behind these campaigns focused on finding and leveraging new exploits to build a DDoS botnet.

On April 20, experts uncovered a powerful variant of the botnet that was spreading from a single server, they also revealed that the number of hosting servers now exceeds 75.

“A significant increase in attack capabilities compared to the previous sample. Samples discovered by Radware can be found on URLhaus. This specific variant has only been seen propagating via the GrandStream UCM SQL injection vulnerability CVE-2020-5722. In the first 48 hours of discovery, our sensors recorded 15 unique IP addresses spreading malware from a server hosted at Today the number of malware hosting servers has grown to over 75.” continues the report. “Upon initial inspection, the sample appeared to be related to Tsunami, but when reanalyzed at a later date, the sample returned a closer relation to Hoaxcalls.”

The latest variant discovered by the experts and tracked as XTC expands the list of targeted devices by including the exploit for the issue in the ZyXEL Cloud CNM SecuManager.

“The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors.” Radware concludes. “It is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large scale DDoS attacks,”

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Hoaxcalls, IoT botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment