The botnet, rapidly expanding from an initial 1.33 million compromised devices, employed HTTP GET floods to exhaust server resources and circumvent traditional rate limiting.
By mid-May, the threat escalated as the botnet grew to 4.6 million nodes, leveraging compromised IoT devices and poorly secured endpoints to amplify its attack surface.
By September, this sprawling network had mobilized 5.76 million IP addresses for a coordinated assault on a government organization, generating tens of millions of requests per second.
Qrator Labs analysts noted significant shifts in geographical distribution, with Brazil, Vietnam, and the United States emerging as major sources of malicious traffic.
The attack unfolded in two waves: an initial surge engaging approximately 2.8 million devices, followed an hour later by an additional 3 million nodes.
HTTP headers in the second wave revealed randomized User-Agent strings designed to evade simple traffic filtering.
Qrator Labs researchers identified key adaptations in the botnet’s control mechanism that facilitated its rapid scaling.
The malware communicates over encrypted channels with a decentralized command-and-control (C2) infrastructure, which the attackers rotate frequently to avoid blacklisting.
Signature-based mitigation struggled to keep pace as each C2 endpoint was active for mere hours before rotation.
The core infection vector relies on brute-force exploitation of default credentials and unpatched vulnerabilities in common IoT firmware.
Once inside a device, the malware deploys a lightweight rootkit that hooks into network interfaces and intercepts firmware update routines.
A code snippet extracted by Qrator Labs illustrates the persistence strategy:-
// Intercept firmware update calls
int hook_update(char *path) {
if (!strcmp(path, "/usr/bin/fw_update")) {
launch_payload();
return 0;
}
return orig_update(path);
}This approach ensures the malicious modules reload after each system restart, rendering simple reboot-based remediation ineffective.
The stealthy rootkit also suppresses suspicious process listings, further complicating detection and removal.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post L7 DDoS Botnet Hijacked 5.76M Devices to Launch Massive Attacks appeared first on Cyber Security News.
Illustration by Heather Landis An ALPR snaps photos of passing cars. Its purpose is to…
Photo by Joan Marcus/Disney Many Broadway actors leave once a contract is up. You’ve been…
With prices of electric bikes reaching an all-time low, it's time to retire that pedal-powered…
Star Wars actor Oscar Isaac has admitted that his much-memed "Somehow, Palpatine returned" line was…
Introduction The need for artificial intelligence security has never been greater as it continues to…
Financial crime was once an unfortunate, yet unavoidable, consequence of an increasingly sophisticated economy. But…
This website uses cookies.