New ZHtrap botnet uses honeypot to find more victims

Netlab 360 experts discovered a new Mirai-based botnet dubbed ZHtrap that implements honeypot to find more victims.

Researchers from Netlab 360 discovered a new Mirai-based botnet dubbed ZHtrap that implements honeypot to find more victims.

ZHtrap propagates using four vulnerabilities, experts pointed out that the botnet mainly used to conduct DDoS attacks and scanning activities, while integrating some backdoor features.

ZHtrap prapagates using the following Nday vulnerability:

• JAWS_DVR_RCE
• NETGEAR
• CCTV_DVR_RCE
• CVE-2014-8361

ZHtrap supports multiple architectures, including x86, ARM, and MIPS. Compared to Mirai, the ZHtrap botnet presents multiple differences, for example it uses a checksum mechanism for the instructions, in terms of scanning propagation, it added the distinction between real devices and honeypots, the XOR encryption algorithm has been redesigned, and it can turn the compromised device into a simple honeypot and implement a set of process control mechanisms.

Experts noticed that that the bot borrows some implementations of the Matryosh DDoS botnet.

The researchers analyzed multiple samples of the ZHtrap bot and grouped them into 3 versions according to their functions. The version v2 is based on v1 with the addition of vulnerability exploitation, while v3 is based on v2 with the deletion of the network infrastructure.

The ZHtrap botnet used honeypots by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further propagation activities.

“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot.” reads the analysis published by Netlab 360. “Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected IPs are used as targets in its own scanning module”

ZHtrap listens to 23 designated ports and identifies IP addresses that connect to these ports, then it used these IP addresses to attempt to compromise them by exploiting the four vulnerabilities and inject the payload.

Once the bot has taken over the devices, it takes a cue from the Matryosh botnet by using Tor for communications with a C2 infrastructure to download and execute additional payloads.

“Many botnets implement worm-like scan propagation, and when ZHtrap’s honeypot port is accessed, its source is most likely a device that has been infected by another botnet,” conclude the researchers.”This device can be infected, there must be flaws, I can use my scanning mechanism to scan again.This could be a good chance that I can implant my bot samples, and then with the process control function, I can have total control, isn’t that awesome?”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ZHtrap)

[adrotate banner=”5″]

[adrotate banner=”13″]