ZHtrap, the Latest Malware to Install Honeypots on Devices to Identify More Targets


The security researchers at 360 Netlab have discovered a new botnet that is targeting and converting the infected routers, DVRs, and UPnP network into honeypots that supports it in identifying other targets to exploit.

Security experts have named the malware ‘ZHtrap’ which is based on Mirai’s source code. ZHtrap comes with support for x56, ARM, MIPS, and other CPU designs. ZHtrap botnet prevents other malware from re-infecting their bots when it takes charge of the device. Whitelist supports the botnet to run the system process and it blocks all the attempts to run new commands. 

The latest malware uses a Tor command-and-control (C2) server to connect with other botnet nodes and a Tor proxy to hide malicious traffic. It is so powerful that it can be used for attacking DDoS and scanning other susceptible devices to infect and it comes with backdoor entry permitting the operators to download and implement additional malicious payloads.

ZHtrap uses exploits targeting four N-day security flaws in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and an extensive list of CCTV-DVR devices for its propagation. It also looks for the devices with weak Telenet passwords from a list of randomly generated IP addresses gather with the support of the honeypot it installs on devices already entrapped in the botnet.

“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot. Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected Ips are used as targets in its own scanning module,” security researchers at 360 Netlab stated. 

Recently, security experts have also identified an upgraded version of the z0Miner cryptomining botnet, which now tries to corrupt susceptible Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.