Threat Watch

HEH – A new IoT Botnet:

Researchers at 360 Netlabs have identified a new Peer-to-Peer Internet of Things (P2P IOT) botnet named “HEH”. This botnet, which was written in GO and uses Telnet brute-forcing to spread consists of 3 key parts:

  • Propagation Module
  • Local HTTP Service Module
  • P2P Module

The initial sample arrives in the form of a text file that downloads and executes a malicious Bash script. This script installs the malware and instructs it to run as a daemon. Upon execution, a number of services are killed by port number, and an HTTP server is started on port 80.  Additionally, the P2P module is started, linking the bot to the botnet. The bot will also begin to generate random IP addresses and attempt to brute-force access over ports 23 or 2323.  If successful, the victim is directed to the page displayed by the bot’s HTTP server (e.g. the text file), and the attack starts again.


As this botnet spreads primarily through automated brute-forcing of telnet ports, Binary Defense recommends closing port 23 and port 2323 if telnet is not in use. Since Telnet is an unencrypted protocol that is often abused for malicious purposes, it is highly recommended to not use Telnet at all, especially not across the Internet. Additionally, Binary Defense recommends that Telnet users set strong, randomized passwords in order to defeat the botnet’s brute-forcing attempts.