The Hoaxcalls botnet, built to carry out large-scale distributed denial-of-service (DDoS) attacks, has been actively in development since the beginning of the year. One of its hallmarks is that it uses different vulnerability exploits for initial compromise.
Researchers, however, have discovered that it’s been a hit-or-miss journey for its operators when it comes to the bugs they choose – while at the same time, they’ve had to reboot after takedowns.
“The Hoaxcalls campaign has provided researchers with a number of opportunities over the last several months to explore the trials and errors in researching, developing and building a botnet campaign and the abandoned infrastructure that are left behind,” explained Daniel Smith, researcher with Radware, in a Thursday posting. “Like derelict satellites that orbit the earth, these bots skim and crawl vulnerable internet devices without a real objective.”
The Hoaxcalls operators are among those botherders that differentiate themselves from amateur actors with the use of exploits – most of those with fewer technical skills tend to brute-force SSH and Telnet credentials in order to compromise devices and add them to their botnets.
However, that strategy has its downsides, Smith noted.
“Botherders also have to compete with each other for their share of vulnerable resources,” he wrote. “If there are only 400 vulnerable devices for a given exploit, it’s first-come, first-serve. Those that leverage recent or undisclosed exploits stand a better chance of infecting more devices than those that do not.”
A History of Exploits
Hoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it’s named after the domain used to host its malware, Hoaxcalls.pw. The original version was seen infecting devices through two vulnerabilities, according to Palo Alto Networks: A DrayTek Vigor2960 remote code-execution (RCE) vulnerability and a GrandStream Unified Communications remote SQL injection bug (CVE-2020-5722).
Two new Hoaxcalls samples spotted by Radware showed up on the scene in April, incorporating new commands from its command-and-control (C2) server and a new exploit for an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March.
“The operators have also seemed to be favoring the Netlink GPON Router 1.0.11 RCE [in the last 90 days],” Smith said.
To date, the group has incorporated 12 different exploits since March, according to Smith.
“This process is a bit like trial-and-error, and while the number seems impressive, not every attempt was a successful or fruitful one,” he said. “The game of testing exploits for the purpose of propagating botnets is a fast pace, full contact sport. Those that cannot develop or discover their own exploits must rely on public disclosures. Once a proof-of-concept (PoC) is posted, the race is on to become the first to actively leverage the exploit.”
Some of the exploits that the Hoaxcalls group tried but abandoned include the bugs tracked as CVE-2018-10562 and CVE-2018-10561, which are authentication-bypass and command-injection bugs for GPON home routers. Smith’s analysis showed that the cyberattackers used it only a handful of times over the last 90 days.
“The group likely abandoned this exploit for propagation because of its popularity with other, competing bot herders,” explained Smith. “The CVEs for the GPON authentication bypass and command injection were posted back in May 2018. Because this exploit is widely known, it is over-saturated with botherders looking to capture or hijack what remains of devices are left on the internet.”
Another example of a Hoaxcalls failed exploit is a post-authentication remote code-execution (RCE) bug in the Symantec Web Gateway version 184.108.40.206. In May, researchers at Palo Alto Networks’ Unit 42 division observed the latest version of the botnet exploiting this unpatched bug, which exists in a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.
However, Smith speculated that the operators decided its use wasn’t panning out – likely because of its exploitation difficulty level rather than over-saturation.
“From my perspective, Hoaxcalls is really the only campaign attempting to use this exploit,” Smith wrote. “This vulnerability likely saw limited success by the operators due to the post-authentication nature of the Symantec Secure Web Gateway RCE.”
In general, exploits do not guarantee additional devices.
“They can fail for one reason of another,” Smith said. “Some of these reasons include the threat actor’s inability to properly leverage an exploit, a limited number of devices to target or oversaturation due to competition.”
Meanwhile, the Hoaxcalls operators have lost several servers to take-down requests.
“Typically, when the malware host is taken down, the scanners have nothing left to load once they have discovered and compromised a vulnerable device,” explained Smith. “In the event the C2 infrastructure is taken down, the bots will have nothing left to communicate with.”
This typically leaves botherders in the position of having to build a new botnet from scratch.
In April, a Hoaxcalls malware host (19ce033f.ngrok[dot]io was taken down, leaving infected devices to continue to scan the internet for more devices to compromise, while the threat actors simply resumed operations on another server with IP 220.127.116.11.
This proliferated: On April 7, there were 183 IP addresses attempting to distribute Hoaxcalls payloads, compared to a total of 340 IPs at the end of May, according to Radware telemetry. The number of devices scanning has finally started to taper off, Smith said, probably because customers have rebooted the devices, crippling the malware, or the devices being re-infected and “re-owned” by a competing botherder.
Overall, “while the threat actors have had a good run so far, developing many variants and leveraging numerous exploits, they have experienced some degree of failure,” Smith said. “Chalk it up to trial and error.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.