Sunday, May 19, 2024

Bigpanzi Bot Hacks 170,000+ Android TVs to Launch DDoS Attacks

Android TVs are widely used, and due to their wide adoption, threat actors frequently target them for unauthorized access or data theft.

In Android smart TVs, the vulnerabilities in outdated software or third-party apps can be exploited.

The interconnected nature of the smart or Android TVs makes them potential targets for the threat actors seeking to compromise user privacy or launch broader attacks within home networks.

Cybersecurity researcher Alex.Turing, Acey9, and rootkiter recently discovered more than 170000 Android TVs were hacked by the “Bigpanzi” bot to Launch DDoS attacks.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Bigpanzi Bot Hacks 170,000+ Android TVs

A sneaky ELF sample dubbed “pandoraspear” was recently discovered by security researchers with zero detection on VirusTotal. It primarily hides the C2 domains, but analysts managed to catch them and found 170,000 daily active bots, mainly in Brazil.

Botnet nodes across Brazil (Source -Xlab Qianxin)
Botnet nodes across Brazil (Source -Xlab Qianxin)

The group fought back with DDoS and host file manipulations. They aimed at Android devices with malicious scripts and APKs, exposing a major cybercrime syndicate named “Bigpanzi.” 

Their scheme involves luring users to install apps and turning devices into nodes for illegal streaming, DDoS, and piracy. Bigpanzi goes beyond DDoS by hijacking TVs for real-world attacks, like the UAE incident on December 11, 2023, showing conflict footage. 

The Bigpanzi-controlled devices pose a serious threat by broadcasting violent or propaganda content by risking social order.

Security researchers found the downloader domain in the Pcdn sample. The Google search unveiled two leads, “device upgrade instructions” and “repair guidance.” 

Noteworthy was the YouTube channel:-

  • https[:]//[.]com/@customersupportteam49

This YouTube channel was filled with official-sounding device operation videos. FoneStar’s RDS-585WHD page harbored eCos firmware b0a192c6f2bbd7247dfef36665bf6c88, matching Pcdn’s DDoS task names, branding it “official firmware embedded with malware.” 

Discovery of an “official video account” and “official malware-infused firmware” fueled speculation on Bigpanzi’s true identity.

Botnet with 100,000 is likely larger, and Bigpanzi bot infects Android and eCos platforms using three methods.

Here below we have mentioned those three methods:-

  • Pirated movie & TV apps (Android)
Pirated movie & TV apps (Source -Xlab Qianxin)
Pirated movie & TV apps (Source -Xlab Qianxin)
  • Backdoored generic OTA firmware (Android)
Backdoored generic OTA firmware (Source -Xlab Qianxin)
Backdoored generic OTA firmware (Source -Xlab Qianxin)
  • Backdoored “SmartUpTool” firmware (eCos)
Backdoored 'SmartUpTool' firmware (Source -Xlab Qianxin)
Backdoored ‘SmartUpTool’ firmware (Source -Xlab Qianxin)

Moreover, to infect the devices that are running Android or eCos systems,  the Bigpanzi spreads backdoored firmware via several STB, DVB, and IPTV forums.


Here below, we have mentioned all the countermeasures:-

  • Modified UPX Shell
  • Dynamic Linking
  • OLLVM Techniques
  • Anti-Debugging Mechanism

Besides this, cybersecurity analysts identified “Fl00dce690167abeee4326d5369cceffadaaf,” which is a DDoS Builder. 

The operational interface has a ‘slave’ button for configuration that generates bot samples for STB, Linux, and Windows. Initially doubted Bigpanzi’s DDoS involvement, but DDoS Builder discovery confirms long-term engagement. 

However, no tracked attack commands suggest a focus shift to lucrative content business lines, Android TV, and STBs. The adaptability of Bigpanzi highlighted its evolution in the threat landscape.

Bigpanzi operated covertly and managed to collect wealth for eight years which resulted in a vast network of samples, domains, and IPs. Complex connections exist due to code and infrastructure reuse.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.


Latest articles

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make...

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles