A sophisticated Internet-of-Things (IoT) botnet, active since late 2024, has launched distributed denial-of-service (DDoS) attacks targeting organizations globally, including multiple Japanese corporations.
Variants of malware, such as Mirai and Bashlite, form the backbone of this botnet, which exploits vulnerabilities in IoT devices like routers and IP cameras.
The malware lifecycle involves several infection stages and complex command execution, allowing the botnet to deploy tailored attack vectors.
IoT Botnet Detailed Analysis
The IoT botnet spreads by exploiting vulnerabilities in unsecured devices such as wireless routers and IP cameras.
Key infection methods include leveraging remote code execution (RCE) vulnerabilities or default credentials that users fail to change.
Once an IoT device is compromised, the malware deploys a multi-step process to download and execute its payloads.
The malware begins by downloading a script on the infected host, which executes a second-stage loader to retrieve the primary malware payload.
The payload, however, is only stored in the device’s memory, leaving no trace on the host, thereby evading detection.
To further obfuscate its activity, the malware uses custom User-Agent headers to retrieve its payload during HTTP requests, bypassing standard web-based access detection.
Once fully installed, the infected device establishes a connection to the botnet’s command-and-control (C&C) server.
Through this connection, the botnet operators issue instructions for DDoS attacks, malware updates, or further exploitation.
This sophisticated infection process demonstrates the botnet’s ability to remain undetected while leveraging IoT devices as attack platforms.
The botnet executes a variety of commands enabling tailored attacks:
| Command | Action |
|---|---|
socket | TCP connections for massive floods. |
handshake | TCP data flood with randomized payloads. |
stomp | Simple Text Oriented Messaging Protocol floods. |
syn/ack | SYN/ACK packet floods. |
update | Malware updates. |
socks | Turns device into a proxy server. |
udpfwd | Redirects UDP traffic. |
Additional commands (kill, exec) allow the malware to terminate processes or execute arbitrary instructions, indicating its multipurpose capability.
Technical Analysis
According to the Trend Micro report, System manipulation techniques include disabling watchdog timers to prevent device resets during high loads from DDoS traffic and modifying iptables to adjust Linux firewall rules.
These changes help block WAN traffic, hide infection activity, and secure C&C communication.
Device targeting primarily involves wireless routers (80%) and IP cameras (15%), with brands like TP-Link, Zyxel, and Hikvision being heavily impacted.
Most infected devices are located in India (57%) and South Africa (17%).
DDoS attacks show specific patterns. In targeted regions, 17% of attacks focused on the U.S., while Poland accounted for 9% in Europe.
High activity was also noted in Japan and Bahrain. Industry impacts varied, with Japan’s finance, transportation, and IT sectors frequently targeted and global communication industries hit hardest.
Attack variations included stomp commands commonly used in Japan (21%), while international attacks relied on socket and handshake commands.
Some organizations faced hybrid strategies combining network overload and resource exhaustion, complicating detection and mitigation.
Botnet observations revealed that infected devices acted as proxy relays for dark web services and showed adaptability by introducing new command types like socket and handshake commands to bypass countermeasures.
Trends in exploits highlighted three key vulnerabilities in IoT devices: unaltered default credentials, outdated firmware with unpatched vulnerabilities, and insufficient security protocols.
Countermeasures and Recommendations
| Category | Action |
|---|---|
| For Individuals | Change Default Settings: Use unique, complex passwords. |
| Apply Updates: Regularly install firmware updates. | |
| Disable Unnecessary Access: Avoid enabling features like remote management or port forwarding. | |
| Network Isolation: Keep IoT devices on a separate VLAN or router. | |
| For Organizations | Monitor and Patch: Regularly audit and secure IoT devices across networks. |
| Partner with ISPs: Rely on service providers for DDoS filtering solutions. | |
| Traffic Analysis Tools: Deploy machine-learning models to identify abnormal spikes in traffic. | |
| DDoS Mitigation | Rate Limiting: Configure networks to restrict excessive requests from a single source. |
| Load Balancing: Spread server loads to handle sudden traffic bursts. | |
| Geo-blocking: Filter traffic originating from suspicious regions linked to botnets. |
The IoT botnet represents a growing global threat due to its advanced infection techniques and adaptive DDoS strategies.
With IoT usage expanding, secure device management and proactive defense mechanisms will be critical in mitigating future risks.
You can find the indicators of compromise for Large-scale IoT botnets linked to DDoS attacks here.
Also Read:
