HEH Botnet Description
Researchers have detected a new botnet that is spreading actively. According to their findings, the botnet called HEH can compromise home routers, Internet of Things (IoT) devices, Linux servers, and even Windows systems. The only prerequisite is for the targets to have weak Telnet credentials as the botnet propagates through brute-force attacks against open Telnet ports (23 and 2323). If the HEH Botnet breaches the device successfully, it deploys one of seven binaries tasked with installing the HEH malware. It should be noted that while the botnet can compromise Windows systems, the malware it delivers can only be executed on *NIX platforms. The specific CPU architectures that can be affected by the botnet are x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC.
The HEH Botnet may Break Devices
There are signs that the botnet is in its infancy and that it may still be in development. For example, the HEH Botnet doesn't have the capability to perform any offensive actions usually associated with botnets, such as conducting DDoS attacks, deploy cryptomining malware, run proxies, and transfer traffic for the hackers. That doesn't mean that HEH is harmless, though. In fact, either as a consequence of bad configuration or a potentially intended functionality, the HEH Botnet can be commanded to run a set of Shell operations resulting in a total wipe of all partitions found on the infected device. This will most likely break the device, as wiping the partitions will delete the firmware, as well, and the average user may not be tech-savvy enough to install it back.
While the wiper functionality is indeed scary, it is not the main goal of the botnet. For now, HEH is forcing the compromised devices to join the brute-force attacks against Telnet ports to spread the malicious botnet further primarily. The attackers behind HEH could also use it to run arbitrary shell commands.
The HEH Botnet is far from being the first to display wiper capabilities. That dubious honor belongs to the BrickerBot and Silex botnets.