The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.
First detailed at the beginning of April, Hoaxcalls is based on source code from the Tsunami and Gafgyt botnets and has been targeting vulnerabilities in Grandstream UCM6200 series devices (CVE-2020-5722) and Draytek Vigor routers (CVE-2020-8515).
The botnet was designed to launch DDoS attacks using UDP, DNS and HEX floods, based on commands received from its command and control (C&C) server.
Over the past several weeks, a new version of the botnet was observed targeting an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager. The botnet also added 16 new DDoS capabilities to the existing list, Radware’s security researchers say (PDF).
A couple of weeks ago, the more potent variant of the botnet was spreading from a single server, but the number of hosting servers now exceeds 75.
The new samples, Radware underlines, show how fast the development of malware can take place, as the 16 new DDoS vectors were added between March 31 (the initial botnet discovery) and April 8.
This week, the security researchers also identified a new variant of the botnet (dubbed XTC) that not only includes all of the 19 DDoS attack vectors, but also expands the list of targeted devices by attempting to exploit a vulnerability in ZyXEL Cloud CNM SecuManager.
Multiple vulnerabilities in the Zyxel network management software were published in early March, when security researcher Pierre Kim revealed that adversaries targeting them could achieve remote code execution.
“The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors. It is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large scale DDoS attacks,” Radware notes.
Related: Botnet Targets Critical Vulnerability in Grandstream Appliance
Related: Potent ‘dark_nexus’ IoT Botnet Emerges
Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw