Security researchers have identified a Distributed Denial of Service (DDoS) botnet associated with an eight-year-old cybercrime group named Bigpanzi, infecting potentially millions of smart TVs and set-top boxes. At its peak, the campaign had around 170,000 bots running daily, targeting Android-based TVs and streaming hardware through pirated apps and firmware updates.
The typical infection scenario involves users visiting dubious streaming sites on their smartphones, subsequently being directed to download a malicious app onto their Android-based smart TVs. Once infected, these devices become backdoored, allowing cybercriminals to utilize their resources for various cybercrimes, including DDoS attacks and hijacking other streams to replace content with malicious material.
In a notable incident in December 2023, regular broadcasts in the United Arab Emirates were hijacked to display imagery from the conflict between Israel and Palestine. The potential for such attacks to broadcast inappropriate or harmful content poses a significant threat to social order and stability, according to researchers at Chinese security company Qianxin.
The malware responsible for the botnet, named pandoraspear, inherits DDoS commands from the infamous Mirai malware. While the researchers did not attribute the botnet to any high-profile attacks, they highlighted the potential capabilities by adding 11 different Mirai-related DDoS attack vectors to pandoraspear's command list in later versions.
Qianxin's investigation, aiming to trace the identity of those behind pandoraspear, narrowed down to a single company, though this information wasn't disclosed in the report. Bigpanzi and the pandoraspear malware have been active since at least 2015.
Efforts to trace Bigpanzi are ongoing, with researchers aiming for a decisive strike against the cybercrime syndicate. The group's activities have been primarily concentrated in Brazil, specifically in São Paulo, where many of the 170,000 bots were identified during the campaign's peak.
The discovery of the botnet's scale occurred when two of the nine domains used for the botnet's command and control infrastructure expired, allowing researchers to register them and gain insight into the operation. However, the cybercriminals responded aggressively, launching DDoS attacks on the secured domains and manipulating the hosts files of infected devices to thwart observation.
The researchers believe that the group has shifted its DDoS operations to a separate botnet, using the compromised devices for more lucrative cybercrimes, such as running it as a content delivery network. The adaptability and evolving nature of cybercrime syndicates like Bigpanzi pose ongoing challenges for cybersecurity efforts.
Given the consumer-grade nature of the infected devices, the researchers acknowledge potential oversights in visibility, as these devices may not be powered on continuously. They were able to hijack only two of the nine command and control domains, limiting their
Clearly exceptional
ReplyDelete