Do you remember the Hide ‘N Seek (HNS) botnet?
The IoT botnet Hide ‘N Seek botnet appeared in the threat landscape in January, when it was first spotted on January 10th by malware researchers from Bitdefender. It was first discovered on January 10, then it disappeared for a few days, and appeared again a few weeks later infecting in less than a weeks more than 20,000 devices.
Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.
Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.
HNS botnet looks for systems to infect by scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports. The HNS botnet borrows code from Mirai botnet.
The Hide ‘N Seek is now targeting also cross-platform database solutions, it is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.
“2P-like botnets are hard to take down, and the HNS botnet has been continuously updated over the past few months,” reads the analysis published by Netlab Qihoo 360 researchers.
“some major updates we see:
Experts pointed out that the HNS has also started dropping a miner payload, but the good news is that it is not functioning properly yet.
Further technical details on the Hide ‘N Seek botnet, including the IoCs, are reported in the analysis published by the Netlab team.
(Security Affairs – Hide ‘N Seek botnet, botnet)