16 March 2021

ZHtrap botnet turns infected devices into honeypots to find new victims


ZHtrap botnet turns infected devices into honeypots to find new victims

Security researchers have spotted a new botnet malware that is turning infected devices into honeypots in order to ensnare new victims.

Dubbed ZHtrap by researchers at Qihoo 360’s Netlab network security division, the new botnet is based on Mirai IoT malware and supports x86, ARM, MIPS and other major CPU architectures. It compromises DVRs, CCTV cameras, Netgear routers, and Realtek-based devices by exploiting several known vulnerabilities, including CVE-2014-8361.

Once the ZHtrap commandeers a device, it prevents other rival malware from re-enfecting its bots by setting a whitelist that only allows already running system processes, blocking all attempts to run new commands.

In terms of functionality, the new malware has a number of capabilities common for these types of botnets, such as DDoS attacks and Telnet scanning, however, it also comes with a backdoor functionality that allows the ZHtrap operators to download and execute malicious payloads.

The most interesting part of ZHtrap is its ability to transform infected devices into a honeypot, a tool that is usually used by security researchers to capture and observe attacks on vulnerable systems. In this case the ZHtrap operators used a similar technique to achieve their own goals, specifically, to collect the IP addresses belonging to the scan and exploit bots operated by other botnets.

“ZHtrap will listen to 23 designated ports, and if it finds an IP connecting to these ports it will record it as a scanner IP, and all the recorded IPs will be scanned in its own scanning module, so that the target addresses used in the ZHtrap scanning process will have 2 sources - randomly generated IPs and scanner IPs captured by the above module,” the researchers explained.

The Netlab team said they discovered three ZHtrap versions so far, suggesting that the malware is still in a development stage.


Back to the list

Latest Posts

Apple, Google release security updates to fix zero-days in Chrome, iOS, macOS

Apple, Google release security updates to fix zero-days in Chrome, iOS, macOS

Neither Apple, nor Google provided technical details regarding hacker attacks that exploited the zero-day vulnerabilities.
18 August 2022
Zero Day Initiative cuts some vulnerability disclosure timelines

Zero Day Initiative cuts some vulnerability disclosure timelines

The new approach is aimed at forcing vendors take a quicker action when it comes to ineffective patches.
17 August 2022
Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022