Last year the world was startled when Mirai malware managed to infect a whopping 500,000 IoT devices and formed a massive army of botnets and then disrupted internet service in the US and Europe through launching DDoS attacks. The haunting memories are brought back to our attention with the emergence of malware that is trying to perform similar acts.
A new malware has been identified by security researchers at CheckPoint. According to their research, the malware, dubbed as IOTroop or Reaper can target and hijack IoT devices including routers, webcams, and DVRs. The malware has been affecting devices across the globe. The objective behind this campaign seems to be the creation of a massive army of botnets to disrupt the internet service.
It is worth noting that the malware mainly targets devices that are poorly secured but the rate at which it is infecting the devices. This malware is quite similar to Mirai regarding malware code, the scope of attack and devastation. However, it is a completely new campaign and has nothing to do with Mirai.
“This has the potential to be more damaging than Mirai. The most interesting difference between this malware and Mirai is that it is far more sophisticated. Attackers are not just exploiting default credentials to compromise devices, but also using a dozen or more vulnerabilities to get on these devices,” said Horowitz.
The malicious code was discovered by CheckPoint researcher last month, and so far it has managed to infect “hundreds of thousands of devices,” revealed Check Point’s threat intelligence group manager Maya Horowitz. Horowitz also notes that there is one vulnerable device present at nearly 60% of corporate networks. The malware is attacking a majority of devices manufactured by Linksys, D-Link, TP-Link, Netgear, Synology, Avtech, MikroTik and GoAhead. Some of these manufacturers have released patches to fix the vulnerabilities in their devices.
Preliminary research revealed that more than a million organizations across the world including the US and Australia had been affected. Moreover, researchers have identified various command-and-control servers that are being used by perpetrators of this campaign. The cybercriminals behind IoTrooper are continually updating the code with a broad range of IP addresses as well while every infected device gets a range of IP addresses. These addresses help in scanning the vulnerable devices.
According to Horowitz, the malware is self-propagating and doesn’t communicate much with its command-and-control server. It is believed that the quick amassing of botnets is probably the preparation of a massive DDoS attack, however, until now the malware hasn’t launched a DDoS attack. Who has launched this new malware campaign, it is yet unknown, but Horowitz noted that the tools required to create this sort of malware are easily available online and the code of Mirai was also leaked online in 2016.
“We are still studying the malware and reverse engineering it to understand better how it works. While we don’t have the completed answers, we do know that the infected devices get a range of IP addresses that the malware is instructed to check for vulnerabilities. And then the IPs of the vulnerable devices are sent back to the C2,” stated Horowitz.
Qihoo 360 researchers also identified Reaper, and according to their estimates, it has affected nearly 2 million devices. They stated that Reaper is different from Mirai since it does not rely on cracking the default password but targets publicly known vulnerabilities in commonly used IoT devices.
Unlike Mirai, which relies on cracking the default password to gain access to the device, Reaper has been found targeting around a dozen different vulnerabilities found in products from D-Link, Netgear, Linksys, and others. All these vulnerabilities are publicly known, and at least some of the vendors have released security patches to fix them.