ZHtrap Botnet

Although the source code of the infamous Mirai botnet was leaked to the public way back in 2016, cybercriminals are still either using bits and pieces or taking inspiration from it. An example of the latter is the ZHtrap Botnet discovered by the researchers at 360 Netlab.

The malware can take over a wide range of devices and assimilate them into the structure of the botnet. The primary purpose of the botnet appears to be carrying out DDoS attacks (distributed denial of service) attacks, but a backdoor channel created onto the compromised devices also allows the threat actor to drop additional malware payloads. The Command-and-Control infrastructure for the campaign employs a server hosted on the TOR network and a TOR proxy that masks the abnormal communication traffic generated by the botnet.

For its distribution, ZHtrap takes advantage of four known vulnerabilities that allow it to infect routers, DVRs, and UPnP network devices. More specifically, ZHtrap goes after Netgear DGN1000, MVPower DVR, Realtek SDK Miniigd UPnP SOAP endpoints, and numerous CCTV-DVR devices. Devices with weak Telnet passwords will also be attacked.

The malware threat will ensure that it is the only malicious payload running on the specific device via a whitelist that includes only the processes that have already been started on the device. All attempts to run additional commands will be blocked.

However, the aspect that distinguishes ZHtrap the most from the majority of other botnets is its ability to turn compromised devices into honeypots. The term honeypot is used in the cybersecurity field to address a tool that acts as bait for malware attacks by collecting scans, code samples, and potential exploits. ZHtrap uses a similar technique but reverses its purpose. It instructs captured devices to start listening to a list of 23 ports. All IP addresses that attempt to connect through these ports will be fed through the malware's scanning module as new potential targets.