The Hide ‘N Seek botnet was first spotted on January 10th when it was targeting home routers and IP cameras.
It was first spotted on January 10th by malware researchers from Bitdefender then it disappeared for a few days, and appeared again a few week later infecting in less than a weeks more than 20,000 devices.
Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.
In May the botnet infected over 90,000 unique devices, recently researchers from Qihoo 360’s NetLab discovered the bot was also targeting AVTECH webcams, Cisco Linksys routers, OrientDB and CouchDB database servers.
Fortinet experts have compared three different versions of the bot across the time.
The security firm reports that the latest version of the bot has a configuration composed up of 110 entries and 9 exploits.
“We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using.” states Fortinet.
“The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits.”
Hide ‘N Seek authors recently included an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability, the malicious code allows the botnet to target devices in smart homes controller by the HomeMatic central unit.
The bot also includes the exploit for an RCE issue in the Belkin NetCam devices.
The experts believe the author of the Hide ‘N Seek botnet will continue to improve the bot by adding new exploits to target a broad range of devices.
The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits
“HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet concludes.
“With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.”