IoTroop botnet used to hit financial sector firms: report

The Mirai botnet was taken down last year and the three men behind it pled guilty in December.

Recorded Future's Insikt Group research unit said the botnet, which was possibly linked to another named IoTroop or Reaper, was used in an attack on 28 January which used DNS amplification and had traffic volumes peaking at 30Gbps.

Two more companies were hit the same day but Insikt said it did not have enough information to provide an indication of the strength of these attacks.

{loadposition sam08}The IoTroop botnet is made up of compromised home routers, TVs, DVRs and IP cameras, made by manufacturers like TP-Link, Avtech, MikroTik, Linksys, Synology, and GoAhead. Insikt said it was probably the first time IoTroop had been used in an attack since it was identified in October last year.

Insikt said in February, the police in the Netherlands had arrested an 18-year-old man on suspicion of staging DDoS attacks on the technology site Tweakers and the ISP Tweak. There had been speculation that the same man was behind the January attacks but no proof had emerged as yet.

Insikt said the first attack used at least 13,000 devices, each with a unique IP address. Analysis showed that about 80% of the devices were MikroTik routers; the remainder ranged from vulnerable Apache and IIS Web servers, to routers from Ubiquity, Cisco, and ZyXEL.

"We also discovered webcams, TVs, and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link, and Dahua," Insikt said.

It may be recalled that MikroTik routers were also targeted by the Slingshot malware that Kaspersky Lab provided details about last month and which was claimed to be an American state exploit targeting extremists.

Insikt said that many of these devices were new additions to the range that IoTroop targeted: Dahua CCTV DVRs, Samsung UE55D7000 TVs, and Contiki-based devices were previously unknown to be vulnerable to IoTroop/Reaper malware.

The researchers noted that all the compromised MikroTik devices had TCP port 2000 open; this port was normally enabled in new MikroTik devices as it is usually reserved for MikroTik’s bandwidth test server protocol.

As far as the botnet controllers were concerned, Insikt said the following IPs were candidates:

98.95.228.104: 34% of all activity targeting the first financial sector company included UDP DNS requests to or from this IP.

71.68.32.251: A large amount of activity to or from the first company went to this IP.

213.160.168.18: There was no specific threat data on this IP, but it is part of a /24 range that has historically been linked to malware deployment and suspect proxies.

84.47.111.62: This is likely a top controller, based on volume and pattern analysis.

87.197.166.13 and 87.197.108.40: Large amounts of data were exchanged between these two Slovakian IPs and a couple of the controllers. These could be primary controllers, or at a minimum, one hop closer to source.

62.204.238.82: This IP was one of the 13,000 IPs originally involved in the DDoS attack. It resolves to the Czech Republic, and accounts for almost 3% of the traffic generated from our metadata analysis. During the researched window, Insikt observed this IP make repeated connections to three suspected IRC servers in France (149.202.42.174, 51.255.34.80, 5.196.26.96). All three triggered Recorded Future’s predictive risk model.

Insikt said: "These attacks highlight the ongoing threat of DDoS to the financial sector from continuously evolving botnets. The similarity in device composition with the IoTroop/Reaper botnet suggests IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector."