Security researchers have linked a DDoS botnet that may have infected millions of smart TVs and set-top boxes to an eight-year-old cybercrime syndicate called Bigpanzi.
At the height of the campaign, at least 170,000 bots were running daily after infecting Android-based TVs and other streaming hardware through pirated apps and firmware updates.
A common infection scenario involves a user visiting a risky streaming site while browsing on a smartphone, and then being tricked into downloading an associated malicious app onto an Android-based smart TV.
Users end up backdooring their devices and making their resources available for various cyber crimes such as DDoS attacks and hijacking of other streams, replacing the content of other channels with the content of the attacker. Masu.
For example, such an incident occurred in the United Arab Emirates in December 2023. the broadcast was hijacked Uses images from inside the conflict between Israel and Palestine.
“The possibility that Big Punji-controlled televisions and STBs could broadcast violent, terrorist, or pornographic content, or use increasingly persuasive AI-generated videos for political propaganda, poses a serious threat to social order and stability. poses a threat.” Said A researcher at Qianxin, a Chinese security company.
Although the researchers did not elaborate on the botnet’s history of DDoS activity or blame it for the high-profile attacks, they do provide a sense of the botnet’s capabilities. We explained that the DDoS command is inherited from the infamous Mirai.
Qianxin research has revealed that the malware, called pandoraspear, has added 11 different Mirai-related DDoS attack vectors to its list of commands, although the first few versions included relatively weak tools in this area. It became clear that it was.
As we all know, Mirai was involved in some of the most high-profile DDoS attacks of yesteryear, including attacks on Dyn, GitHub, Reddit, and Airbnb. All of this happened on one day in October 2016 when he broke the internet (not a virus infection). types of sensations). It is also a malware that continues to appear and remains under active development to this day.
In an effort to trace the identity of the person behind pandoraspear, Qianxin researchers ultimately narrowed their investigation to one company, which they did not reveal in their report.
Bigpanzi and pandoraspear malware have been active since at least 2015.
Efforts to track down the Big Punji are still ongoing, and researchers’ “ultimate goal” is to conduct a “definitive attack against them.”
Bigpanzi’s efforts are primarily focused on São Paulo, Brazil, the city where many of the 170,000 bots were identified at the campaign’s peak.
The scale of this botnet was first realized when two of the nine domains used for the botnet’s command and control (C2) infrastructure expired, and researchers were able to register them themselves. and was able to take a peek at how the botnet is running.
The criminals weren’t too happy with the researchers who took over the domains, and responded by forcing them offline.
“Once the group realized we had secured their domain, they aggressively fought back,” the researchers wrote. “They attacked our domain with a DDoS attack, forcing it offline and manipulating the host files on infected devices.
“This strategy redirects specific domain names to specific IP addresses, bypassing the normal DNS resolution process used to find IP addresses for command and control domains. This allows them to be monitored and tracked. Your ability to do so is severely limited.
“We became less involved in this conflict, voluntarily stopped resolving it, and as a result, we lost this perspective.”
The group is believed to have recently moved its DDoS operations to a separate botnet it controls, using it for more lucrative cybercriminal endeavors, such as running it as a content distribution network.
“This strategic shift highlights the adaptable and evolving nature of cybercrime syndicates like Bigpanzi,” the researchers added.
The botnet is believed to be larger than the six-figure size recorded at its peak in August. Researchers said that because infected devices are consumer-grade in nature, they are unlikely to be turned on every second of every day, likely leading to oversight.
Additionally, their visibility into this operation was limited as they were only able to hijack two out of nine C2 and malware downloader domains.
“In the face of such a large and complex network, our findings are just the tip of the iceberg in terms of what Bigpanzi encompasses,” the researchers said. “A huge amount of tracing and investigation work is still being done.
“The analysis presented in this article is just a glimmer in the darkness that reveals just a small part of Bigpanzi’s shadowy existence. We welcome insights from the cybersecurity community and welcome We seek the cooperation of people with the desire and ability to manage these threats. We have an opportunity to fight the Bigpanzi Group and contribute to maintaining cybersecurity.” ®