A large-scale botnet malware operation has been targeting router equipment running vulnerable versions of the Broadcom Universal Plug and Play (UPnP) feature. Active since at least September 2018, malicious campaign appears to be infecting devices for the likely purpose of converting them into spam bots, according to a blog post yesterday from researchers at Qihoo’s Netlab 360.
Over the last 30 days, the botnet has been scanning for susceptible equipment via TCP port 5431 every one-to-three days, with each cycle leveraging around 100,000 IPs from apparently hijacked routers to do its bidding. Researchers have identified a minimum of 116 different models of router devices targeted by the malware, dubbed BCMUPnP_Hunter, and believe the number of potential infections could reach 400,000.
“All together we have 3.37 million unique scan source IPs. It is a big number, but it is likely that the IPs of the same infected devices just changed over time,” explained researchers and blog authors Hui Wang and RootKiter.
The complex infection process begins with a shellcode component that downloads and executes the primary payload from a malicious command-and-control server. Researchers say the first-stage code is expertly written and apparently original.
The main payload specifically looks for a five-year-old, critical format string vulnerability in UPnP — a network protocol that allows multiple network devices to discover and interact with each other. (The vulnerability was originally discovered in October 2013 but not disclosed until 2017.)
The main payload also builds a proxy network that communicates with servers belonging to email platform providers Outlook, Hotmail and Yahoo! Mail. Based on this observation, “We highly suspect that the attacker’s intention is to send spams,” the researchers have concluded.