ZHtrap Botnet Turns Infected Devices into Traps to Find New Victims
Security analysts from the Chinese company Qihoo 360 Netlab have discovered a new botnet called ZHtrap. This botnet turns infected routers, DVRs, and other UPnP devices into honeypots, which help it locate additional targets for infection.
ZHtrap is based on the code of the Mirai IoT malware and supports architectures such as x86, ARM, MIPS, and more. Once it takes over a device, ZHtrap prevents attacks from other malware by using a whitelist that only allows already running system processes, blocking everything else. For communication with other bots, it uses command and control servers located on Tor, as well as Tor proxies to hide malicious traffic.
The main goals of the botnet are to launch DDoS attacks and to search for new vulnerable devices to infect. Additionally, ZHtrap has backdoor capabilities, allowing its operators to download and execute additional payloads.
How ZHtrap Spreads
ZHtrap spreads by exploiting four known vulnerabilities found in:
- Realtek SDK Miniigd UPnP SOAP
- MVPower DVR
- Netgear DGN1000
- Various models of CCTV-DVRs
The malware also searches for devices with weak Telnet passwords, scanning both randomly generated IP addresses and addresses collected using special honeypots.
Unique Use of Honeypots
The creation of honeypots is perhaps ZHtrap’s most distinctive feature. The malware uses these traps to collect IP addresses of devices that may be vulnerable to its attacks or already infected by other malware. After installation, the ZHtrap honeypot listens on a list of 23 ports and sends all connecting IP addresses to its scanner as potential targets for future attacks.
ZHtrap Architecture
“Honeypots are usually used by cybersecurity researchers as tools to intercept attacks, detect scans, exploits, and malware samples. We found that ZHtrap uses a similar technique, integrating it with its own IP address scanning module. The collected IP addresses are then used as targets for attacks,” write the experts at Qihoo 360 Netlab.