ZHtrap malware turns infected devices into traps to search for new victims

Chinese company Qihoo 360 Netlab analysts have discovered a new malware called ZHtrap, which turns infected devices, as routers, DVRs and other UPnP devices into traps that help finding the next targets for infection.

ZHtrap is based on the Mirai IoT malware and supports x86, ARM, MIPS, and so on.

By hijacking the device, ZHtrap prevents other rogue attacks by using a whitelist, which allows only already running system processes, blocking everything else. It uses Tor command servers to communicate with other bots, as well as a Tor proxy to hide malicious traffic.

The main goals of the botnet are: organizing DDoS attacks and searching for new vulnerable devices for infection. In addition, ZHtrap has backdoor functionality that allows its operators to download and execute additional payloads.

For distribution, ZHtrap uses exploits targeting four known vulnerabilities in the Realtek SDK Miniigd UPnP SOAP, MVPower DVR, Netgear DGN1000 and many different CCTV-DVR models. The malware also searches for devices with weak Telnet passwords and does so using a list of randomly generated IP addresses, as well as addresses that it collects using special honeypots.

Bait making is perhaps the main distinguishing feature of ZHtrap.

“Compared to other botnets we have analysed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot”, – Bleeping Computer journalists say.

Malware uses them to collect IP addresses of devices that may be vulnerable to its attacks or already infected with other malware.

So, after installing the decoy, ZHtrap listens on a list of 23 ports and sends all the IP addresses that connect to them to its scanner, treating them as victims for future attacks.

ZHtrap architecture

“Honeypots are commonly used by IS researchers as a tool to intercept attacks, detect scans, exploits and [malware] samples. We found that ZHtrap uses a similar technique, integrating it with its own IP address scanning engine. The collected IP addresses are ultimately used as targets for attacks”, — the Qihoo 360 Netlab experts write.

Let me remind you that I also reported that Cybersecurity expert created a website for collecting information about vulnerabilities in malware.

Exit mobile version