400,000 devices are now infected with a new spam botnet

The new spam botnet named BCMPUPnP_Hunter was observed, by researchers, targeting routers that have the Broadcom UPnP feature enabled. The vicious threat first appeared in September, but until now a multi-step interaction between the botnet and the potential target prevented the researchers from capturing it.
This vicious infection appears designed to send spam emails that likely infected around 400,000 devices.

Researchers are saying that the interaction begins with a TCP port 5431 destination scan, after which the BCMPUPnP_Hunter checks the target’s UDP port 1900 and waits for the vulnerable URL. After four other packet exchanges, the hacker finally figures out the shellcode’s execution start address in memory and delivers the exploit.

If an attack succeeds, a proxy network is implemented, to communicate with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, and others, most likely for spam purposes.
Experts are saying that the botnet is mainly designed to proxy traffic to servers of well-known mail service providers. With connections only made over TCP port 25.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
In this October, the number of scanning source IPs has been constantly around 100,000. Typically the scan activity reaches around 100,000 scan source IPs in each scan event.

Overall there are around 3.37 million detected scan source IPs, but researchers are saying that this large number is the result of some devices changing their IP over time.
This new botnet singly handed managed to infect over 116 different type of devices. The threat is believed to have infected around 400,000 devices all around the world; that is mostly located in India, the United States, and China.

A malware analysis done on the botnet revealed that the malware sample consists of a shellcode and the main body. The shellcode appears to be designed specifically to download the main sample and execute it.
The analyzed threat sample is formed from an exploit for the Broadcom UPnP vulnerability, a proxy access network module, and four instruction codes linked to the command and control (C&C) server.

These commands are:
– an initial packet without practical functionality
– a command to search for vulnerable targets
– a command to empty the current task
– the last one to launch the proxy service

We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.