IoT Botnet Used in Website Hacking Attacks
9.12.2017 securityweek IoT BotNet
Embedded Malware Launches SOCKS Proxy Server on Infected IoT Devices
A botnet of Linux-based Internet of Things (IoT) devices is currently being used in a campaign attempting to hack websites, Doctor Web security researchers warn.
Called Linux.ProxyM, the malware has been around since February of this year, and was previously used in spam campaigns. The Trojan was designed to launch a SOCKS proxy server on infected devices and allows attackers to leverage the proxy to perform nefarious operations while hiding their tracks.
To date, the malware has been observed targeting devices with the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. Basically, it can infect “almost any Linux device, including routers, set-top boxes, and other similar equipment,” the researchers say.
Previous malicious campaigns leveraging the botnet were sending spam emails, with each infected device generating around 400 messages per day in September, Doctor Web says.
Soon after, the bot started sending phishing messages. The emails supposedly came from DocuSign, a service providing users with the possibility to download, view, sign, and track the status of electronic documents.
The phishing messages included a link to a fake DocuSign website that featured an authorization form, in an attempt to trick users into entering their credentials. After that, the victims were being redirected to the real DocuSign authorization page, while their login details had been sent to the attackers.
In December, Linux.ProxyM’s proxy server started being used to hack websites through various methods, including SQL injections, Cross-Site Scripting, and Local File Inclusion (LFI). The actors operating the botnet targeted game severs and forums, and resources on other topics, including Russian websites.
On Dec. 7, the security researchers observed 20,000 attacks launched by the botnet. About a month ago, the bots were launching nearly 40,000 attacks per day.
“Although Linux.ProxyM has only one function—a proxy server—cybercriminals continue finding new opportunities to use it for illegal actions and showing increasing interest in the ‘Internet of things’,” Doctor Web points out.