Sunday, February 9, 2025
HomeBotnetNew IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

Published on

SIEM as a Service

Follow Us on Google News

Large-scale DDoS attack commands sent from an IoT botnet’s C&C server targeting Japan and other countries since late 2024.

These commands targeted various companies, which include major Japanese corporations and banks. 

While a direct link cannot be confirmed, some targeted organizations reported temporary connection and network disruptions during this period that coincided with the observed attack commands. 

Emerging Threats from IoT Botnets Focusing on Japan

This Mirai/Bashlite-based botnet exploits RCE vulnerabilities or weak passwords to infect IoT devices. The infection stages involve downloading a script that fetches a loader executable from a distribution server. 

After that, the loader uses a specialized User-Agent header to successfully retrieve the actual malware payload from the server and then executes it in memory. 

The malware communicates with the C&C server for commands to launch DDoS attacks (SYN Flood, TCP ACK Flood, UDP Flood, etc.) or transform the device into a proxy server.  

IoT Botnet DDoS Attacks
 A code to download binaries from the distribution server with custom User-Agent header

It employs several evasion techniques and deactivates the watchdog timer that hinders system restarts triggered by high loads during DDoS attacks by mirroring past Mirai botnet behavior. 

It also manipulates iptables rules to hinder infection detection and DDoS attack visibility. By blocking WAN-side TCP connections, it aims to prevent cross-infection while maintaining internal management access. 

Through the use of dynamically configured iptables rules, the malicious software is able to receive UDP packets from the outside world and suppress TCP RST packets by concealing its activities.

IoT Botnet DDoS Attacks
Malware code to disable the Watchdog timer

DDoS attacks observed between December 27, 2024, and January 4, 2025 have targeted organizations across North America, Europe, and Asia, with a concentration in the United States, Bahrain, and Poland. 

The Trend Micro analysis revealed distinct command patterns depending on the target region. Attacks against Japanese targets frequently employed the “stomp” command, while “gre” was more common for international targets. 

They targeted the transportation, information and communication, and finance and insurance sectors, while international attacks primarily focused on the information and communication and finance and insurance industries, with a notable absence of attacks targeting the transportation sector. 

IoT Botnet DDoS Attacks
Targeted Industries

The actor behind these attacks demonstrated adaptability and tested new commands like “socket” and “handshake” against Japanese organizations after initial defenses were implemented.

IoT Botnet DDoS Attacks
The iptables rules that the malware set in the initialization phase

Analysis of a botnet revealed 348 compromised devices, primarily wireless routers (80%) from vendors like TP-Link and Zyxel while IP cameras particularly from Hikvision have also contributed significantly. 

Factors contributing to their exploitation include the persistence of default settings, outdated firmware, and inadequate security features that enable attackers to easily compromise these devices and leverage them for malicious activities like DDoS attacks and network intrusions.

Mitigation Strategies Against DDoS Attacks and IoT Vulnerabilities

To mitigate botnet infections and DDoS attacks, implement robust security measures. Secure IoT devices by changing default credentials, updating firmware regularly, and segmenting IoT networks. 

Restrict remote access, manage devices effectively, and monitor network traffic for anomalies.

Mitigate UDP floods by blocking specific IP addresses and protocols, collaborating with service providers, and strengthening router hardware. 

Investigate Real-World Malicious Links & Phishing Attacks With ANY.RUN Malware Sandbox - Try 14 Days Free Trial

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...