The Pink botnet is one of the largest botnets being observed by the infosec community in the last several years. According to the findings of the researchers, the Pink Botnet, at its peak, had infected and asserted control over more than 1.6 million devices. It should be noted that the targets of the botnet were located in Chine almost exclusively, with an estimated 90% of the compromised devices being located in the country. The botnet was able to exploit vulnerabilities in MIPS-based fiber routers.
Table of Contents
The botnet is backed by a complex and robust architecture that allows the attackers to exert complete control over the breached devices. To ensure the distribution and availability of the necessary configuration data, the hackers employ several different techniques. First, they took advantage of third-party services such as GITHUB and a Chinese website.
Thanks to its hybrid architecture, Pink botnet's configuration data also was being distributed via P2P (Peer-to-Peer) and C2 (Command-and-Control) servers. One of the P2P methods is P2P-Over-UDP123 distribution. The dual nature of the threat, allows the attackers to rely on P2P to deliver general commands, while the C2 route is reserved for deploying critical, time-sensitive instructions including the launch of DDoS attacks, injecting advertisements into any HTTP sites visited by users, etc.
The Pink botnet is capable of recognizing and executing over 10 incoming commands from the botmaster. Depending on the specific goal of the attackers, the botnet could fetch additional files and payloads, execute arbitrary system commands, launch DDoS attacks, perform scans, update itself and more. The hackers also could use the malware to gather specific device details - system type, CPU, system version, hardware information and memory information.
Persistence and Fight with Vendor
The particular capabilities of the Pink botnet allow it to flash the original firmware of the breached fiber router and then rewrite it with a new one that includes a C2 downloader and the accompanying bootloader. Afterward, the cybercriminals have full control over the device. This allowed them to retain their illegal access to the infected routers successfully, while also defending against several different approaches from the device's vendor. In the end, the vendor had to resort to sending dedicated technicians to access the breached routers and either disassemble the debugging software or replace the unit altogether.