16 March 2021

ZHtrap botnet turns infected devices into honeypots to find new victims


ZHtrap botnet turns infected devices into honeypots to find new victims

Security researchers have spotted a new botnet malware that is turning infected devices into honeypots in order to ensnare new victims.

Dubbed ZHtrap by researchers at Qihoo 360’s Netlab network security division, the new botnet is based on Mirai IoT malware and supports x86, ARM, MIPS and other major CPU architectures. It compromises DVRs, CCTV cameras, Netgear routers, and Realtek-based devices by exploiting several known vulnerabilities, including CVE-2014-8361.

Once the ZHtrap commandeers a device, it prevents other rival malware from re-enfecting its bots by setting a whitelist that only allows already running system processes, blocking all attempts to run new commands.

In terms of functionality, the new malware has a number of capabilities common for these types of botnets, such as DDoS attacks and Telnet scanning, however, it also comes with a backdoor functionality that allows the ZHtrap operators to download and execute malicious payloads.

The most interesting part of ZHtrap is its ability to transform infected devices into a honeypot, a tool that is usually used by security researchers to capture and observe attacks on vulnerable systems. In this case the ZHtrap operators used a similar technique to achieve their own goals, specifically, to collect the IP addresses belonging to the scan and exploit bots operated by other botnets.

“ZHtrap will listen to 23 designated ports, and if it finds an IP connecting to these ports it will record it as a scanner IP, and all the recorded IPs will be scanned in its own scanning module, so that the target addresses used in the ZHtrap scanning process will have 2 sources - randomly generated IPs and scanner IPs captured by the above module,” the researchers explained.

The Netlab team said they discovered three ZHtrap versions so far, suggesting that the malware is still in a development stage.


Back to the list

Latest Posts

Cyber Security Week in Review: April 12, 2024

Cyber Security Week in Review: April 12, 2024

In brief: Microsoft and Palo Alto fix zero-days, Sisense suffers data breach, and more.
12 April 2024
TA547 threat actor targets German orgs with Rhadamanthys info-stealer

TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The group appears to have incorporated LLM-generated PowerShell scripts in their attacks.
11 April 2024
Apple enhances spyware threat notifications

Apple enhances spyware threat notifications

The company will alert users who are individually targeted by mercenary spyware attacks.
11 April 2024