ZHtrap botnet deploys honeypots to trap&steal bots from rivals

Security researchers discovered last week a new IoT botnet that deploys honeypots to capture attacks from rival botnets and then uses that information to hijack its rivals’ infrastructure.

Named ZHtrap, this new botnet was built on an improved version of the infamous Mirai IoT malware.

Discovered by the Netlab network security division at Qihoo 360, the botnet works by using vulnerabilities to infect DVRsCCTV camerasNetgear routers, and Realtek-based devices.

Once infected, each of these devices is also used to scan the internet for other victims the botnet could attack and infect. All infected devices (called “bots”) are then used to launch DDoS attacks, according to functionality found in the ZHtrap source code.

A unique approach to hijacking rivals

But Netlab said that while most of ZHtrap’s inner workings resemble what other botnets are also doing, there was one small detail that stood out and made this botnet unique.

On some of the infected devices, Netlab said that ZHtrap installed a honeypot, a type of software specialized in mimicking vulnerable systems and logging what commands attackers perform after accessing the honeypot.

Image: Netlab

Netlab argues that the purpose of these honeypots was for the ZHtrap gang to collect the IP addresses belonging to the scan&exploit bots operated by rival botnet gangs.

Since these bots are by definition unpatched and still vulnerable to attacks, ZHtrap could exploit these systems itself and hijack and capture the attacking bots from its rivals, allowing the botnet to increase its size with minimal effort.

But despite its primary functionality being centered around carrying out DDoS attacks, Netlab also warns that ZHtrap is more advanced than your typical botnet.

The botnet will also install reverse web shell on all infected devices, perform Telnet scans, and even download and execute other payloads, which means the botnet could pivot to an access-as-a-service system and allow third-parties to launch attacks on enterprise networks via the infected devices.

Three versions of this botnet have been seen so far, suggesting it’s still actively developed and upgraded with new functionality.

Image: Netlab
Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

US agencies announce initiatives to crack down on ransomware

CISA announced plans for a Joint Ransomware Task Force, while the DOJ said it is…

1 day ago

Tesla, Microsoft and Ubuntu bugs found during Pwn2Own hacking competition

Several bugs in Microsoft, Ubuntu and Tesla products were found and exploited during the three-day…

1 day ago

Nikkei becomes latest major news outlet hit with ransomware

Investigators are trying to determine the nature and scope of an incident involving Nikkei's Asia…

2 days ago

Russian government procured powerful botnet to shift social media trending topics

Researchers at Nisos said the Fronton botnet was primarily developed “for coordinated inauthentic behavior on…

2 days ago

Notorious cybercrime gang Conti ‘shuts down,’ but its influence and talent are still out there

The group's web presence was officially just a shell as of May 19. But pinning…

2 days ago

EU data protection authority raises alarm over UN cybercrime treaty negotiations

Russian-backed cybercrime convention negotiations have long concerned human rights advocates.

2 days ago