The Bashlight IoT malware has been updated with cryptomining and backdoor commands targeting WeMo devices.
The malware initially gained notoriety for its use in large scale DDoS attacks in 2014 but has recently switched over to infecting IoT devices and has even been known to exploit Shellshock to gain a foothold into vulnerable devices.
Bashlight only needs to check if the device is enabled with the WeMo UPnP API to target the device and doesn’t need to have a predetermined list of targets.
Trend Micro researchers have already spotted the malware in the wild and said the impact of the upgraded Bashlight malware could be significant since WeMo’s home automation products range from connected cameras, electrical plugs, light switches, bulbs, and motion sensors, according to an April 3 report.
The malware is designed to add infected IoT devices to a distributed-denial-of-service (DDoS) botnet and targets devices with the WeMo Universal Plug and Play (UPnP) application programming interface (API).
The upgraded malware also abuses a publicly available remote-code-execution (RCE) Metasploit module, sports additional DDoS-related commands as well as added new commands that support cryptocurrency mining and backdoor capabilities.
Bashlight also executes a bricker malware from a specified URL to presumably eliminate competing bots along with a command to terminate specific processes.
Researchers disclosed their findings to Belkin who recently released a statement regarding the vulnerabilities the malware targets.
“Belkin is committed to product and customer security,” the company said in a statement. “The vulnerability described in this article was detected and remediated in 2015 for all affected devices. We strongly encourage customers to update their devices and mobile apps to obtain the latest security fixes.”
