Security experts have uncovered the malicious activities of a new botnet dubbed BCMUPnP_Hunter. It has already enslaved around 100,000 routers and has been quietly growing over the past few months. The botnet is being used to send out massive email campaigns and attempts to connect to webmail services.
The botnet’s operators were spotted using a five-year-old vulnerability, which allows attackers to remotely execute malicious code on vulnerable routers. The flaw was discovered in 2013 and exists in the Broadcom UPnP SDK software, which comes embedded in thousands of routers manufactured by various vendors.
According to Netlab researchers, who discovered the new botnet, BCMUPnP_Hunter scans were found originating from over 3.37 million IP addresses. However, on a daily basis, only around 100,000 devices were found active. Although the botnet is targeting victims globally, so far, it has primarily infected victims in India, China, and the US.
Unlike most other IoT botnets active in the wild, BCMUPnP_Hunter appears to be unique. The botnet’s author(s) have not developed it from previously leaked source code but built it from scratch.
“We did not find similar code using search engines. It seems that the author has profound skills and is not a typical script kid,” Netlab researchers wrote in a report.
Since all of botnet’s connections were made via the TCP port 25, which is assigned to the Simple Mail Transfer Protocol (SMTP), researchers believe that the botnet is likely being used to send out spam email campaigns.