Malware author builds ‘Death’ botnet by targeting 2-year old vulnerabilities in AVTech devices

• 14-known vulnerabilities found in the firmware of several AVTech devices, are being leveraged to build the botnet.
• The firmware under attack exposes the passwords of the AVTech devices and allows attackers to add unauthorized users to these devices.

A malware author, who goes by the name of EliteLands, is reportedly building a new botnet dubbed “Death”, by exploiting the vulnerabilities in unpatched AVTech devices that were disclosed back in 2016.

The matter came to light after Ankit Anubhav, a security researcher at NewSky Security, told Bleeping Computer that EliteLands is exploiting flaws in AVTech devices to add new unauthorized users.

How it works

The exploit targets 14-known vulnerabilities found in the firmware of several AVTech devices. These devices include DVRs, NVRs, IP cameras and more. The firmware under attack exposes the passwords of the AVTech devices and can allow cybercriminals to add unauthorized users to these devices.

The security expert highlighted that these older AVTech devices are also vulnerable to command injection flaws. This means that attackers can inject a shell command in the password field to gain access of vulnerable devices.

"So, if I put reboot as password, the AVTech system gets rebooted," Anubhav told to Bleeping Computer. "Of course, the Death botnet is doing much more than just rebooting."

Faster attack vector

Anubhav confirmed that EliteLands is targeting devices for his Death botnet by exploiting exposed devices with different payloads. The latest version of a payload used by the attacker involves adding accounts that have a lifespan of only 5 minutes, after which they disappear from the infected devices. In other words, the attacker can execute his payload into a targeted device in just five minutes..

"This is like a burner account," Anubhav added. “Usually people don’t make new user accounts with access of only 5 minutes.”

Although the size of the botnet is not yet known, Anubhav has identified over 1200 AVTech devices which are currently at risk. Meanwhile, Elitelands has reportedly confirmed he plans to use the Death botnet for massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” Elitelands allegedly told Anubhav. "The Death botnet purpose was originally just to DDoS but I have a greater plan on it soon. I don't really use it for attacks only to get customers aware of the power it has.”