Security Experts:

New 'Gucci' IoT Botnet Targets Europe

Security researchers with SecNiche Security Labs have discovered a new piece of malware that attempts to ensnare Internet of Things (IoT) devices in Europe into a distributed denial-of-service (DDoS)-capable botnet.

Called Gucci, the same as the Italian luxury brand of fashion and leather goods, the botnet appears to be new and previously undocumented, security researchers Aditya K Sood and Rohit Bansal told SecurityWeek in an email exchange.

The malware is targeting multiple architectures, including ARM, x86, MIPS, PPC, M68K and others, binaries discovered on the attackers’ server showed. The binaries were being disseminated from a server located in the Netherlands.Gucci botnet

Analysis of these binaries also revealed that the botnet operators removed all the debug symbols from them, a “stripping” process that resulted in reduced binary sizes. However, all the binaries were obfuscated.

While investigating the malware, the researchers discovered that each bot was connecting to a remote IP address on TCP port 5555, and also identified the remote host running a custom telnet service on TCP port 5555.

The host, Sood and Bansal explain in a report shared with SecurityWeek, was exchanging commands with Gucci bots regularly. When attempting to establish a TCP connection to the host, however, the researchers were prompted to provide a username and password for authentication.

Using automation, the researchers were able to crack the required credentials and access the command and control (C&C) panel.

The panel showed that the Gucci botnet was designed with support for different types of DDoS attacks, including HTTP null scan, UDP flood, SYN flood, ACK flood, UDP flood with less protocol options, GRE IP flood, and Value Source Engine specific flood.

The botnet operators appear to be keeping a close eye on all connections made to the C&C server.

In fact, as soon as they realized that the C&C had been compromised, the operators removed the aforementioned TCP service from the host and also attempted to hide indicators and artefacts by cleaning the directories and performing other operations.

“The botnet operator was found to be very proactive. The whole analysis and obtaining C&C access was like an arms race,” the security researchers note.

At the moment, the botnet seems to be in its early stages of development and it appears to be targeting the European continent. The botnet, Sood and Bansal say, is capable of launching both targeted and broad attacks.

Related: Mirai-Based Botnet Launches Massive DDoS Attack on Streaming Service

Related: Attackers Turn Elasticsearch Databases Into DDoS Bots

view counter