Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hoaxcalls Botnet Expands Targets List, DDoS Capabilities

The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.

The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.

First detailed at the beginning of April, Hoaxcalls is based on source code from the Tsunami and Gafgyt botnets and has been targeting vulnerabilities in Grandstream UCM6200 series devices (CVE-2020-5722) and Draytek Vigor routers (CVE-2020-8515).

The botnet was designed to launch DDoS attacks using UDP, DNS and HEX floods, based on commands received from its command and control (C&C) server.

Over the past several weeks, a new version of the botnet was observed targeting an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager. The botnet also added 16 new DDoS capabilities to the existing list, Radware’s security researchers say (PDF).

A couple of weeks ago, the more potent variant of the botnet was spreading from a single server, but the number of hosting servers now exceeds 75.

The new samples, Radware underlines, show how fast the development of malware can take place, as the 16 new DDoS vectors were added between March 31 (the initial botnet discovery) and April 8.

This week, the security researchers also identified a new variant of the botnet (dubbed XTC) that not only includes all of the 19 DDoS attack vectors, but also expands the list of targeted devices by attempting to exploit a vulnerability in ZyXEL Cloud CNM SecuManager.

Multiple vulnerabilities in the Zyxel network management software were published in early March, when security researcher Pierre Kim revealed that adversaries targeting them could achieve remote code execution.

Advertisement. Scroll to continue reading.

“The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors. It is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large scale DDoS attacks,” Radware notes.

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Related: Potent ‘dark_nexus’ IoT Botnet Emerges

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.