Hide 'N Seek malware moves to target cross-platform databases

News by Rene Millman

The Hide 'N Seek botnet that was targeting IoT devices has now expanded its range of targets to focus on cross-platform databases.

The Hide ‘N Seek botnet that was targeting IoT devices has now expanded its range of targets to focus on cross-platform databases.
According to security researchers at Netlab 360, the botnet has been continuously updated over the past few months. It was first discovered by researchers at Bitdefender earlier this year. 
Among the updates seen are added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, and OrientDB. Researchers said that the added support of OrientDB and CouchDB database servers means that the botnet is no longer just an IoT botnet, but a cross-platform botnet now.
It has also increased hard-coded 2P node addresses to 172. In addition, the researchers observed that the botnet has added a cpuminer mining program, but it is not functioning properly yet.
Researchers said the botnet looks for potential victims by initiating a network scanning. In this scanning, the botnet borrows code from mirai botnet, and shares the same characters. The scanning target ports include fixed TCP port 80/8080/2480/5984/23 and other random ports.
They added that the botnet’s check-in packet is a UDP packet with random length and content.
"The stands out is in the second packet from the upstream nodes, which has a length of two and the first byte is the uppercase letter ‘O’. In addition, the second byte of the return packet is actually a checksum value calculated from the request packet, so as can also be used to ID HNS communications," said researchers.
After joining into the P2P network, the botnet needs to perform address synchronisation constantly to ensure nodes connections. 
"This synchronous operation has strong network characteristics. First, the downstream node sends a request packet with the length one with content "~" to the upstream node, and then the upstream node replies with a packet of length eight with the initial letter "^"," they said.
They added that the botnet nodes interact frequently and have lots of data exchange. 
Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that preventing these attacks is as simple as ensuring that your IoT devices are not publicly accessible. 
"Unfortunately, too many home and business devices are configured poorly, leaving the door wide open to be attacked. The actor behind HNS is clearly investing a lot of effort in keeping the malware as effective as possible, by upgrading their attacks with new exploits. The more exploits they incorporate, the more devices they will infect, resulting in even more firepower to be used for infecting further devices or being used in DDoS attacks, for example," he said.
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that the botnet through its P2P command and control, from the start was meant to be a scalable and persistent platform, now we see the attackers starting to harvest the fruits of their initial investments. 
"More elaborate and clever designed C2 mechanisms and update features such as provided by Hajime and HNS are a bigger initial investment for the attackers in coding the features but provide a more persistent platform that can be grown by adding more infection vectors and malicious payloads over time," he said.
"The internet turned into a battlefield for IoT devices and bots leveraging the newest infection vectors and most aggressive scanning will take share, some of those botnets are opportunistic and fade away quickly, others are growing and shrinking over time but persistent and staying on the forefront by implementing a variety of vulnerabilities and infection vectors – HNS falls in the latter category."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews