New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

Large-scale DDoS attack commands sent from an IoT botnet’s C&C server targeting Japan and other countries since late 2024.

These commands targeted various companies, which include major Japanese corporations and banks. 

While a direct link cannot be confirmed, some targeted organizations reported temporary connection and network disruptions during this period that coincided with the observed attack commands. 

Emerging Threats from IoT Botnets Focusing on Japan

This Mirai/Bashlite-based botnet exploits RCE vulnerabilities or weak passwords to infect IoT devices. The infection stages involve downloading a script that fetches a loader executable from a distribution server. 

After that, the loader uses a specialized User-Agent header to successfully retrieve the actual malware payload from the server and then executes it in memory. 

The malware communicates with the C&C server for commands to launch DDoS attacks (SYN Flood, TCP ACK Flood, UDP Flood, etc.) or transform the device into a proxy server.  

It employs several evasion techniques and deactivates the watchdog timer that hinders system restarts triggered by high loads during DDoS attacks by mirroring past Mirai botnet behavior. 

It also manipulates iptables rules to hinder infection detection and DDoS attack visibility. By blocking WAN-side TCP connections, it aims to prevent cross-infection while maintaining internal management access. 

Through the use of dynamically configured iptables rules, the malicious software is able to receive UDP packets from the outside world and suppress TCP RST packets by concealing its activities.

DDoS attacks observed between December 27, 2024, and January 4, 2025 have targeted organizations across North America, Europe, and Asia, with a concentration in the United States, Bahrain, and Poland. 

The Trend Micro analysis revealed distinct command patterns depending on the target region. Attacks against Japanese targets frequently employed the “stomp” command, while “gre” was more common for international targets. 

They targeted the transportation, information and communication, and finance and insurance sectors, while international attacks primarily focused on the information and communication and finance and insurance industries, with a notable absence of attacks targeting the transportation sector. 

The actor behind these attacks demonstrated adaptability and tested new commands like “socket” and “handshake” against Japanese organizations after initial defenses were implemented.

Analysis of a botnet revealed 348 compromised devices, primarily wireless routers (80%) from vendors like TP-Link and Zyxel while IP cameras particularly from Hikvision have also contributed significantly. 

Factors contributing to their exploitation include the persistence of default settings, outdated firmware, and inadequate security features that enable attackers to easily compromise these devices and leverage them for malicious activities like DDoS attacks and network intrusions.

Mitigation Strategies Against DDoS Attacks and IoT Vulnerabilities

To mitigate botnet infections and DDoS attacks, implement robust security measures. Secure IoT devices by changing default credentials, updating firmware regularly, and segmenting IoT networks. 

Restrict remote access, manage devices effectively, and monitor network traffic for anomalies.

Mitigate UDP floods by blocking specific IP addresses and protocols, collaborating with service providers, and strengthening router hardware. 

Investigate Real-World Malicious Links & Phishing Attacks With ANY.RUN Malware Sandbox - Try 14 Days Free Trial