Researchers at 360 Netlabs have identified a new Peer-to-Peer Internet of Things (P2P IOT) botnet named “HEH”. This botnet, which was written in GO and uses Telnet brute-forcing to spread consists of 3 key parts:
- Propagation Module
- Local HTTP Service Module
- P2P Module
The initial sample arrives in the form of a text file that downloads and executes a malicious Bash script. This script installs the malware and instructs it to run as a daemon. Upon execution, a number of services are killed by port number, and an HTTP server is started on port 80. Additionally, the P2P module is started, linking the bot to the botnet. The bot will also begin to generate random IP addresses and attempt to brute-force access over ports 23 or 2323. If successful, the victim is directed to the page displayed by the bot’s HTTP server (e.g. the text file), and the attack starts again.