Tech

Bashlite IoT malware upgrade lets it target WeMo home automation devices

New Bashlite version not widely detected, but was spotted infecting devices in the wild.

Written by Catalin Cimpanu, Contributor on April 3, 2019

Security

A version of the Bashlite IoT malware has received an update over the past few weeks that allows it to target Belkin WeMo home automation switches.

Further, as part of this update, the malware can now open backdoors and run commands on infected devices, deploy a cryptocurrency mining module, can detect and remove competing IoT malware, and has also expanded the types of DDoS attacks it can launch from infected devices.

"While we have not seen significant detections for these versions of Bashlite, it's worth noting that it's already in the wild," cyber-security firm Trend Micro said in a report today.

Botnet author uses MSF module for an initial foothold

The company's experts believe the person who modified recent versions of the Bashlite malware to improve it with new functionality is using a module for the Metasploit penetration testing framework to infect smart devices via the Belkin WeMo UPnP SDK.

This includes Belkin WeMo home automation switches, but also routers, smart lightbulbs, electrical plugs, light switches, motion sensors, surveillance cameras, and other devices that support this SDK.

Belkin patched the security flaw exploited by this Bashlite botnet back in 2015, meaning only device owners who failed to apply years-old firmware patches are currently at risk.

In addition, in line with previous iterations of the Bashlite IoT malware (also known under names such as Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser), the malware uses additional exploits and a Telnet scanner to brute-force its way into other devices still running factory default credentials.

Bashlite botnet targeting WeMo devices — Image: Trend Micro

The news about this new Bashlite variant targeting home automation devices comes after last fall, Palo Alto Networks found another Bashlite variation targeting enterprise servers, such as Apache Struts, SonicWall, and others.

Bashlite's ecosystem of lame botnets

But in hindsight, this isn't a surprise. Most Bashlite-based botnets are like giant puzzles. They're all based on the original Bashlite malware that was released online by the Lizard Squad DDoSing crew a few years back.

Bored teenagers and criminal groups have used the same code as a wireframe for creating botnets over the past few years.

All Bashlite variations are the original Bashlite code, together with exploits that the botnet owner usually gets from public exploit repositories like ExploitDB.

Most of these botnets die out within weeks, as the botnet owner runs out of money to pay ever-increasing hosting costs, or they realize the criminal nature of their actions, or they just get bored.

However, few botnets linger, usually those run by professional cyber-criminal gangs, who advertise capabilities on underground hacking forums, or assemble these botnets in public DDoS-for-hire (DDoS booters/stresser) services.

From the looks of it, the variant that Trend Micro spotted is from the first category, of small botnets created by an amateur, and is expected to die out in the coming future.