New version of Bashlite botnet found sporting mining and backdoor capabilities

• Four new versions of Bashlite botnet has been discovered by security researchers lately.
• One of these versions is used to target devices with the WeMo Universal Plug and Play (UPnP) API.

Four new versions of Bashlite botnet has been discovered by security researchers lately. They are named as Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. One of these versions is used to target devices with the WeMo Universal Plug and Play (UPnP) API.

Although there are no significant detections for these variants, researchers have noted that they are already available in the public. Some instances of infection process have been observed in places like Taiwan, United States, Thailand, Malaysia, Japan, and Canada.

What is Bashlite botnet - Bashlite, also known as Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresster, came into light in 2014 for launching large-scale DDoS attacks. But, since then the IoT malware has evolved to do more than hacking the IoT devices.

About the updated version - One of the updated version of Bashlite botnet includes the cryptocurrency mining and backdoor capabilities. Trend Micro researchers also note that the variant can deliver malware that removes competing botnets from the systems.

The variant abuses a publicly available remote-code execution (RCE) Metasploit module for propagation.

“The exploit used doesn’t have a list of targeted WeMo devices. It only needs to check if the device is enabled with the WeMo UPnP API. The impact could be significant. WeMo’s home automation products, for instance, range from internet-connected cameras, electrical plugs, and light switches and bulbs to motion sensors. It has a mobile application that uses the Wi-Fi network to wirelessly control IoT devices,” researchers explained.

Capabilities - The new version of Bashlite botnet is capable of launching multiple types of DDoS attacks simultaneously. It can also download and execute cryptocurrency-mining and bricking malware.

Some of the commands that are followed by Bashlite to launch DDoS attacks are:

• HOLD: Connects to an IP address and port, and sustained for a specified time
• JUNK: Same as HOLD but also sends a randomly generated string to the IP address
• UDP: Flood target with user datagram protocol (UDP) packets
• ACK: Send acknowledgment (ACK) signals to disrupt network activity
• VSE: An amplification attack used to consume the resources of a target (e.g., server)
• TCP: Send numerous transmission control protocol-based (TCP) requests
• OVH: DDoS attack designed to bypass a DDoS mitigation service
• STD: Similar to UDP (flooding the target with UDP packets)
• GRENADE: Launch all the DDoS commands

The bottom line - With an increase in the number of internet-connected devices used in smart homes, researchers note that Bashlite botnet can be one of the many threats that could threaten the privacy, security and even safety of users.