A version of the Bashlite IoT malware has received an update over the past few weeks that allows it to target Belkin WeMo home automation switches.
Further, as part of this update, the malware can now open backdoors and run commands on infected devices, deploy a cryptocurrency mining module, can detect and remove competing IoT malware, and has also expanded the types of DDoS attacks it can launch from infected devices.
"While we have not seen significant detections for these versions of Bashlite, it's worth noting that it's already in the wild," cyber-security firm Trend Micro said in a report today.
Botnet author uses MSF module for an initial foothold
The company's experts believe the person who modified recent versions of the Bashlite malware to improve it with new functionality is using a module for the Metasploit penetration testing framework to infect smart devices via the Belkin WeMo UPnP SDK.
This includes Belkin WeMo home automation switches, but also routers, smart lightbulbs, electrical plugs, light switches, motion sensors, surveillance cameras, and other devices that support this SDK.
Belkin patched the security flaw exploited by this Bashlite botnet back in 2015, meaning only device owners who failed to apply years-old firmware patches are currently at risk.
In addition, in line with previous iterations of the Bashlite IoT malware (also known under names such as Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser), the malware uses additional exploits and a Telnet scanner to brute-force its way into other devices still running factory default credentials.
But in hindsight, this isn't a surprise. Most Bashlite-based botnets are like giant puzzles. They're all based on the original Bashlite malware that was released online by the Lizard Squad DDoSing crew a few years back.
Bored teenagers and criminal groups have used the same code as a wireframe for creating botnets over the past few years.
All Bashlite variations are the original Bashlite code, together with exploits that the botnet owner usually gets from public exploit repositories like ExploitDB.
Most of these botnets die out within weeks, as the botnet owner runs out of money to pay ever-increasing hosting costs, or they realize the criminal nature of their actions, or they just get bored.
However, few botnets linger, usually those run by professional cyber-criminal gangs, who advertise capabilities on underground hacking forums, or assemble these botnets in public DDoS-for-hire (DDoS booters/stresser) services.
From the looks of it, the variant that Trend Micro spotted is from the first category, of small botnets created by an amateur, and is expected to die out in the coming future.