ZHtrap malware turns infected devices into traps to search for new victims

Chinese company Qihoo 360 Netlab analysts have discovered a new malware called ZHtrap, which turns infected devices, as routers, DVRs and other UPnP devices into traps that help finding the next targets for infection.

ZHtrap is based on the Mirai IoT malware and supports x86, ARM, MIPS, and so on.

By hijacking the device, ZHtrap prevents other rogue attacks by using a whitelist, which allows only already running system processes, blocking everything else. It uses Tor command servers to communicate with other bots, as well as a Tor proxy to hide malicious traffic.

The main goals of the botnet are: organizing DDoS attacks and searching for new vulnerable devices for infection. In addition, ZHtrap has backdoor functionality that allows its operators to download and execute additional payloads.

For distribution, ZHtrap uses exploits targeting four known vulnerabilities in the Realtek SDK Miniigd UPnP SOAP, MVPower DVR, Netgear DGN1000 and many different CCTV-DVR models. The malware also searches for devices with weak Telnet passwords and does so using a list of randomly generated IP addresses, as well as addresses that it collects using special honeypots.

Bait making is perhaps the main distinguishing feature of ZHtrap.

“Compared to other botnets we have analysed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot”, – Bleeping Computer journalists say.

Malware uses them to collect IP addresses of devices that may be vulnerable to its attacks or already infected with other malware.

So, after installing the decoy, ZHtrap listens on a list of 23 ports and sends all the IP addresses that connect to them to its scanner, treating them as victims for future attacks.

ZHtrap turns devices into traps
ZHtrap architecture

“Honeypots are commonly used by IS researchers as a tool to intercept attacks, detect scans, exploits and [malware] samples. We found that ZHtrap uses a similar technique, integrating it with its own IP address scanning engine. The collected IP addresses are ultimately used as targets for attacks”, — the Qihoo 360 Netlab experts write.

Let me remind you that I also reported that Cybersecurity expert created a website for collecting information about vulnerabilities in malware.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button