A new strain of Mirai and ZHtrap Botnet is recently reported in the wild in the Dark web to exploit vulnerabilities. This was evident exactly after source code of the well-known Mirai botnet escaped a year back in 2016 and still some of the cyber attackers are using some section or taking something creative from it. An example from the final ZHtrap Botnet was discovered by researchers through 360 Netlab.
The malware has the ability to take over a wide range of various devices and take them into the process of the botnet. The initial purpose of the botnet is to appear in carrying out the DDOS attack i.e. distributed denial of services attacks but somewhere backdoor channel is created into the compromised devices also allows some of the major threats to put additional malware payloads. The Control and Command road for campaigning the referred servers hosted on the TOR network and the TOR proxy that uses the masking the abnormal communication thus, the traffic generated by the botnet.
For the distribution, ZHtrap Botnet takes many advantages of very known Four vulnerabilities which allow it to cause infection to routers, DVRs, and UPnP network devices. More commonly, ZHtrap Botnet goes after the following Realtek SDK Miniigd UPnP SOAP endpoints, Netgear DGN1000, CCTV-DVR device, and numerous MVPower DVR. Devices kept with weak passwords will also be attacked through the IP Address which is collected through honeypot.
|Related Security Article: Matryosh Botnet Uses DDos Attack to Target Android Devices|
The threat will ensure that it is only the malware running in the payloads with a specific device through a whitelist that emerges the process that has been already stated on the device. Though additionally attempts to run the command will be blocked.
At last, the magnifying aspect that differentiates ZHtrap the most from the majority of other botnets is the ability to turn the compromised devices into honeypots. Whereas the term honeypot is used in the cybersecurity field to address a tool that acts as a plugin for malware attacks by collecting sample codes, scans, and potential exploits. ZHtrap uses a technique that can be reversed for some reason. It instructs captured devices to start and listen to the list of 23 ports. All IP address that attempts will be connected through these ports will be fed by the malware scanning module as new potential targets.