Security experts from 360 Netlab security firm have recently discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that mainly targets routers that have the BroadCom UPnP feature enabled.
The BCMPUPnP_Hunter was first spotted in September, but researchers were able to capture the first sample only a month later.
Experts pointed out that the interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan-
“it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL.” reads the analysis published by 360 Netlab.
“After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target.”
Experts noticed that the amount of infection is very large, the number of active scanning IP in each scan event is about 100,000.
Once the device is compromised, the attacker implements a proxy network (tcp-proxy) that communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. This circumstance suggests the botnet may have been involved in spam campaigns.
Below some findings shared by the experts:
The geographical distribution for the scanner IPs in the last 7 days revealed that most of the infected devices are in India, the United States, and China.
The experts probed the scanners and discovered at least 116 different type of infected device information.
The malware sample analyzed by the experts is composed of the main body and a shellcode that is apparently designed specifically to download the main sample and execute it.
“The main function of shellcode is to download the main sample from C2(109.248.9.17:8738) and execute it.” continues the analysis.
“The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines). It seems that the author has profound skills and is not a typical script kid:”
The main sample includes an exploit for the BroadCom UPnP vulnerability and the proxy access network module. The main sample can parse four instruction codes from C2, enable the port scan, search for a potentially vulnerable target, empty current task, access proxy network.
The botnet was likely designed to proxy traffic to servers of well-known mail service providers. The researchers believe the proxy network established by the botnet is abused for spam due to the connections only made over TCP port 25.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – BCMPUPnP_Hunter botnet, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
As Middle East tensions rise, cyberattacks hit Iran’s government branches and nuclear facilities, following Israel's…
Sophos reports ransomware operators are exploiting a critical code execution flaw in Veeam Backup &…
GitLab issued updates for CE and EE to address multiple flaws, including a critical bug…
OpenAI disrupted 20 cyber and influence operations in 2023, revealing Iran and China-linked actors used…
The Internet Archive disclosed a data breach, the security incident impacted more than 31 million…
Jscrambler researchers found a skimming campaign using unique JavaScript obfuscation with accented characters to hide…
This website uses cookies.