Specifically, it targets the following:
ASUS routers (via N-day exploits).
Huawei routers (via CVE-2017-17215)
Neterbit routers (custom exploit)
LB-Link routers (via CVE-2023-26801)
Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856)
PZT cameras (via CVE-2024-8956 and CVE-2024-8957)
Kguard DVR
Lilin DVR (via remote code execution exploits)
Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)
Vimar smart home devices (likely using an undisclosed vulnerability)
Various 5G/LTE devices (likely via misconfigurations or weak credentials)
The botnet features a brute-forcing module for weak, Telnet passwords, uses custom UPX packing with unique signatures, and implements Mirai-based command structures for updating clients, scanning networks, and conducting DDoS attacks.
Attack volumes
Botnet attack volumes
Source: X Lab
X Lab reports that the botnet’s DDoS attacks are short in duration, lasting between 10 and 30 seconds, but high in intensity, exceeding 100 Gbps in traffic, which can cause disruptions even for robust infrastructures.
“The targets of attacks are all over the world and distributed in various industries,” explains X Lab.
“The main targets of attacks are distributed in China, the United States, Germany, the United Kingdom, and Singapore,” the researchers say.
Overall, the botnet demonstrates a unique capability to maintain high infection rates across diverse device types using exploits for n-day and even zero-day flaws.
Users can protect their devices by following the general recommendation to install the latest device updates from the vendor, disable remote access if not needed, and change the default admin account credentials.
