Qihoo 360’s Netlab Cybersecurity researchers discovered a huge botnet, tracked as Pink, that already infected over 1.6 million devices. The botnet was created to launch DDoS attacks and to insert advertisements in the legitimate HTTP traffic of the victims, most of which are in China (96%).
According to the experts, Pink is the largest botnet they have observed in the last six years. The number of infected devices is impressive, on 2019-11-30 a trusted security partner in the US informed Qihoo 360’s Netlab Cybersecurity reported to have observed 1,962,308 unique daily active IPs from the Pink botnet targeting its systems.
On 2020-01-02, CNCERT reported that “the number of Bot node IP addresses associated with this botnet exceeds 5 million. As home broadband IPs are dynamically assigned, the true size of the infected devices behind them cannot be accurately estimated, and it is presumed that the actual number of infected devices is in the millions.”
The experts first analyzed the bot on November 21, 2019 after they received a sample from the security community. The name Pink comes from a large number of function names included in the sample that were starting with “pink”.
“Pink is the largest botnet we have first hand observed in the last six years, during peak time, it had a total infection of over 1.6 million devices (96% are located in China) Pink targets mainly mips based fiber router” reads the analysis published by the experts.
The botnet leverages a robust architecture based on a combination of third-party services, P2P, and Command & Control servers. This architecture was implemented to make the botnet resilient to takedowns by law enforcement and security firms with the support of the vendors of the infected devices.
Every time a vendor made some attempts to address the problem, the botmaster pushed out multiple firmware updates on the fiber routers to maintain their control.
Pink also adopts the DNS-Over-HTTPS (DoH) for the distribution of configuration information that’s done either via a project hidden on GITHUB or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.
According to the Chinese cybersecurity firm NSFOCUS, which was involved in the investigation, threat actors leverage a zero-day attack aimed at broadband devices of specific brands. The impacted devices were mainly provided to North China and Northeast China, with most of the installs in Beijing.
Unlike other botnets, the Pink malware is only able to target the MIPS architecture used by the above devices;
The Pink botnet supports the following set of commands:
(SecurityAffairs – hacking, Pink botnet)