Demonbot is the name of a botnet and a malware used to infect Internet of Things (IoT) devices. The threat's underlying code is based on the Mirai Botnet, a Trojan infecting IoT devices that had its source code disclosed online back in 2016.
The attack, which is the work of someone using the alias “Priority,” was first noticed by a team working for Juniper Threat labs. Evidence suggests that the attacks have been ongoing since September 10.
Researchers noted that the attacks work on port 60001, which is used by IoT devices in particular. The attacks use the Demonbot variant of Mirai malware in conjunction with another variant developed by the attacker Scarface.
Port 60001 is typically used by IoT devices such as the Defeway cameras. Defeway cameras account for around 90% of all cameras using the port, meaning that up to 90% of smart cameras could be vulnerable to attack. The cameras are installed on networks without any additional password protection, making them especially vulnerable.
People buy these cameras and use them, thinking that they can see the camera feed from anywhere they want. The reality is that attackers can install botnets on to the device without much trouble.
Priority has been spotted attacking other ports as well, including 5500, 5501, 5502, and 5050. Priority attacks these ports with a command that uses the MVPower DVR Shell Unauthenticated Command Function.
Researchers believe that Priority is either an inexperienced amateur or someone who wants to protect their true identity by pretending to be more inexperienced than they really are.
Juniper Labs note that the attacker has yet to use any other exploits in their attacks. This would suggest that they are immature as far as hacking experience is concerned. Many attackers using Mirai and its variants exploit up to seven different vulnerabilities across multiple devices and protocols, making it stand out that Priority focuses on just one.
While Priority does target other ports, researchers believe these attacks are just a diversion, and the attacks are always focused around Port 60001.
Researchers tracked the attack back to a server owned by the Santa Clara data center of Digital Ocean, a Virtual Private Server provider.