Cybersecurity researchers uncovered a huge botnet, tracked as Pink, that already infected over 1.6 million devices most of them located in China.

Qihoo 360’s Netlab Cybersecurity researchers discovered a huge botnet, tracked as Pink, that already infected over 1.6 million devices. The botnet was created to launch DDoS attacks and to insert advertisements in the legitimate HTTP traffic of the victims, most of which are in China (96%).

According to the experts, Pink is the largest botnet they have observed in the last six years. The number of infected devices is impressive, on 2019-11-30 a trusted security partner in the US informed Qihoo 360’s Netlab Cybersecurity reported to have observed 1,962,308 unique daily active IPs from the Pink botnet targeting its systems.

On 2020-01-02, CNCERT reported that “the number of Bot node IP addresses associated with this botnet exceeds 5 million. As home broadband IPs are dynamically assigned, the true size of the infected devices behind them cannot be accurately estimated, and it is presumed that the actual number of infected devices is in the millions.”

The experts first analyzed the bot on November 21, 2019 after they received a sample from the security community. The name Pink comes from a large number of function names included in the sample that were starting with “pink”.

“Pink is the largest botnet we have first hand observed in the last six years, during peak time, it had a total infection of over 1.6 million devices (96% are located in China) Pink targets mainly mips based fiber router” reads the analysis published by the experts.

The botnet leverages a robust architecture based on a combination of third-party services, P2P, and Command & Control servers. This architecture was implemented to make the botnet resilient to takedowns by law enforcement and security firms with the support of the vendors of the infected devices.

Every time a vendor made some attempts to address the problem, the botmaster pushed out multiple firmware updates on the fiber routers to maintain their control.

Pink also adopts the DNS-Over-HTTPS (DoH) for the distribution of configuration information that’s done either via a project hidden on GITHUB or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.

According to the Chinese cybersecurity firm NSFOCUS, which was involved in the investigation, threat actors leverage a zero-day attack aimed at broadband devices of specific brands. The impacted devices were mainly provided to North China and Northeast China, with most of the installs in Beijing.

Unlike other botnets, the Pink malware is only able to target the MIPS architecture used by the above devices;

The Pink botnet supports the following set of commands:

  1. File download
  2. System command execution
  3. DDoS attacks (HTTP attacks and UDP attacks)
  4. Scan(the specifics of the scan can be set by the command)
  5. Report device information (CPU / system type / memory information / system version / hardware information)
  6. Self-update (save new version to /tmp/client and then run)
  7. P2P node list synchronization (push a set of P2P nodes directly to the Bot)
  8. Http message injection (on the victim device, advertising js scripts will be injected when traffic type is http)
  9. Sock5 proxy service (set up Socks5 proxy service on Bot side, account password set by command)
  10. Download the file and execute
  11. Stop the attack
  12. Reset watchdog

Further info is included in the reports published by Qihoo 360’s Netlab and NSFOCUS, that also include indicators of compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini AuthorPierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine

Source: www.cyberdefensemagazine.com