Bigpanzi Botnet

A previously unidentified cybercriminal organization, dubbed 'Bigpanzi,' has been generating substantial profits by compromising Android TV and eCos set-top boxes globally since at least 2015. According to researchers, this threat group manages an extensive botnet comprising around 170,000 daily active bots. Notably, since August, researchers have identified 1.3 million unique IP addresses linked to the botnet, with a majority located in Brazil. Bigpanzi employs methods such as infecting devices through firmware updates or manipulating users into installing compromised apps unknowingly.

These infections serve as a revenue source for cybercriminals who transform compromised devices into nodes for various illicit activities, including illegal media streaming platforms, traffic proxying networks, Distributed Denial of Service (DDoS) swarms, and Over-The-Top (OTT) content provision.

The Bigpanzi Botnet Operation Deploys Additional Malware Threats

The cybercrime operation conducted by Bigpanzi employs two custom malware tools known as 'pandoraspear' and 'pcdn.'

Pandoraspear functions as a backdoor Trojan, seizing control of DNS settings, establishing communication with a Command and Control (C2) server, and executing commands received from the C2 server. The malware supports a range of commands, enabling it to manipulate DNS settings, initiate DDoS attacks, self-update, create reverse shells, manage communication with the C2, and execute arbitrary OS commands. To evade detection, Pandoraspear employs sophisticated techniques, such as a modified UPX shell, dynamic linking, OLLVM compilation and anti-debugging mechanisms.

Pcdn, on the other hand, is utilized to construct a Peer-to-Peer (P2P) Content Distribution Network (CDN) on infected devices and possesses DDoS capabilities to weaponize these devices further.

The Bigpanzi Botnet Has Global Reach

During peak times, the Bigpanzi botnet boasts 170,000 daily bots, and since August 2023, researchers have identified over 1.3 million distinct IPs associated with the botnet. However, owing to the intermittent activity of compromised TV boxes and limitations in cybersecurity analysts' visibility, it is highly probable that the real size of the botnet surpasses these numbers. Over the past eight years, Bigpanzi seems to have operated covertly, accumulating wealth discreetly. As their operations advanced, there has been a notable proliferation of samples, domain names, and IP addresses.

Researchers suggest that given the enormity and intricacy of the network, their findings only scratch the surface of what Bigpanzi truly entails. Thus far, information security experts have not disclosed any details regarding the attribution of the botnet operation. However, an analysis of the pcdn threat has led them to a suspicious YouTube channel believed to be under the control of a particular company.

Infection Vectors Exploited by the Threat Actors Behind Bigpanzi

The cybercriminal group focuses on Android and eCos platforms, utilizing three distinct methods to infect user devices:

• Pirated movie & TV apps (Android): Bigpanzi leverages pirated applications related to movies and TV shows on Android devices. Users unknowingly download and install these threatening applications, providing an entry point for the botnet to compromise the devices.
•  Backdoored generic OTA firmware (Android): Another method involves manipulating over-the-air (OTA) firmware updates on Android devices. The cybercriminals introduce backdoors into these updates, allowing them to exploit vulnerabilities during the installation process and gain unauthorized access to the devices.
•  Backdoored 'SmartUpTool' firmware (eCos): For devices operating on the eCos platform, Bigpanzi targets a specific firmware named 'SmartUpTool.' The cybercriminals compromise this firmware by introducing backdoors, enabling them to infiltrate and control devices powered by eCos.

By employing these three methods, Bigpanzi ensures a diverse range of attack vectors, exploiting unsuspecting users who engage with pirated content or update their devices through compromised firmware.