In recent developments, a variant fo Mirai botnet named ZHtrap has been tracking and converting infected DVDs, routers, and UPnP devices into honeypots to facilitate finding other infectable devices.
According to cybersecurity experts analyzing the botnet attack, ZHtrap shares malware similarities with the Mirai botnet, and it supported to infect the x86, ARM, MIPS, and other CPU architectures.
To the unaware, a honeypot is a computer system that aims to imitate likely or infectable targets of cyberattacks. It can be employed to identify attacks or avert them from an authentic target. It can also be used to gain information about how cybercriminals operate.
Botnet operations:
Once the botnet has seized the target device, it hampers other malware from newly infecting its bots with the assistance of a whitelist that only permits existing system processes to operate and blocks all the other or new commands.
By implementing a command-to-control(C2) server, the botnet communicates with its other bot-nodes to operate and employs a tor to hide malicious traffic.
As far as the competencies of the botnet are concerned, it can implement DDoS i.e denial-of-service attacks as well as has the ability to scan for other compromisable systems.
ZHtrap circulates itself by exploiting four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, as well as a long list of CCTV-DVR systems.
Botnets and honeypots:
Honeypots, as the name suggests, are generally enforced by security experts as pawn or devices to entrap attacks like collecting samples, scans, and exploits.
However, in the case of the ZHtrap botnet, it employs a honeypot-similar approach of applying a scanning IP collection capsule and targeting the gathered IPs in its own scanning capsule.
ZHtrap then starts listening to a list of 23 ports and dispatches all IPs connecting to them to its scanning module as likely targets in its attacks thereby further infecting them.