Cybersecurity researchers have lifted the curtain on a stealth botnet designed for distributed denial of service (DDoS) attacks.
The botnet, called Masjesu, has been promoted as a rental DDoS service through Telegram since it first appeared in 2023. This botnet can target a wide range of IoT devices across multiple architectures, including routers and gateways.
“Created with persistence and low visibility in mind, Masjes deliberately avoids blocklisted IP ranges, such as those belonging to the Department of Defense (DoD), to ensure long-term survival, preferring a cautious and conservative approach to widespread infection,” Trellix security researcher Mohideen Abdul Kader F. said in a report on Tuesday.
It is worth noting that this commercial product also goes by the name XorBot, as it uses XOR-based encryption to hide strings, configurations, and payload data. This information was first documented by Chinese security vendor NSFOCUS in December 2023 and was associated with an operator named “synmaestro.”
A subsequent iteration of the botnet observed a year later was found to have added and gained initial access to 12 different command injection and code execution exploits targeting routers, cameras, DVRs, and NVRs from D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link, and Vacron. A new module has also been added to perform DDoS flood attacks.
“As an emerging botnet family, XorBot has shown strong growth momentum, continually infiltrating and taking control of new IoT devices,” NSFOCUS said in November 2024. “In particular, these controllers are increasingly using social media platforms such as Telegram as their primary channel for recruitment and promotion, attracting target ‘customers’ through initial aggressive promotional efforts and laying a solid foundation for subsequent botnet expansion and development.”
Trellix’s latest findings show that Masjesu touted its diverse botnet infrastructure and suitability for targeting content delivery networks (CDNs), game servers, and enterprises, touting its ability to carry out high-volume DDoS attacks. Attacks by this botnet primarily originate from Vietnam, Ukraine, Iran, Brazil, Kenya, and India, with Vietnam accounting for nearly 50% of observed traffic.
Once deployed on a compromised device, the malware creates a socket and binds to a hardcoded TCP port (55988), allowing the attacker to connect directly. If this operation fails, the attack chain is stopped immediately.
Otherwise, the malware could initiate persistence settings, ignore termination-related signals, and kill commonly used processes such as wget and curl to thwart competing botnets. It then connects to an external server to receive DDoS attack commands and execute them against the intended target.
Masjesu also has self-propagation capabilities, allowing it to probe random IP addresses for open ports and integrate successfully compromised devices into the infrastructure. One notable addition to the list of exploit targets is Realtek routers. This is done by scanning port 52869 associated with the Realtek SDK’s sminiigd daemon. Several DDoS botnets, including JenX and Satori, have adopted the same approach in the past.
“Botnets continue to grow by infecting a wide range of IoT devices across multiple architectures and manufacturers,” Trellix said. “In particular, Masges appears to avoid targeting sensitive and important organizations that could arouse significant legal or law enforcement attention, a strategy that is likely to improve the long-term viability of the organization.”
Source link
