Skip to main content

Reaper IoT Botnet

The Reaper Internet-of-Things botnet, also known as IoTroop, has been observed growing at a fast pace.
Threat ID:
CC-1732
Category:
Botnet
Threat Severity:
Low
Threat Vector:
Published:
27 October 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The Reaper Internet-of-Things botnet, also known as IoTroop, has been observed growing at a fast pace.

Threat details

The botnet is estimated to have infected up to 2 million devices and it is suspected that a large number of businesses are already infected. Reaper continues to grow by approximately 10,000 devices daily.

Reaper has been designed to exploit vulnerabilities on IoT devices.

To date, a total of 9 known vulnerabilities have been observed as being targeted by the malware. Those vulnerabilities are:

  • D-Link 850L Routers – This vulnerability enables Remote Command Execution, Remote Unauthorised Information Disclosure, and Unauthorised Remote Code Execution.
  • Goahead – Wireless IP Camera (P2P) WIFICAM – Remote Command Execution
  • JAWS – CCTV Recorders
  • Netgear ReadyNAS Surveillance – Unauthenticated Remote Command Execution
  • Vacron NVR – Remote Command Execution
  • Netgear DGN devices – Unauthenticated Command Execution
  • Linksys E1500/E2500 Routers – Multiple vulnerabilities
  • D-Link DIR-600 / DIR-300
  • Avtech devices

As the malware is in the development stage, there are new vulnerabilities being added.

The current primary focus appears to be on spreading the malware to as many vulnerable IoT devices as possible. Research indicates it has been designed to be less aggressive than Mirai in order to reduce detection rates and has a LUA execution environment designed to enable the botnet to support more complex attacks.

There has been no indication yet of what the intentions are for the botnet or the threat actor(s) behind the malware. While it remains in the development stages, precisely what the botnet will be ultimately used for remains unclear although this is likely to change once the spreading phase is over. The botnet has the capability for DDoS activity and the development of Reaper will continue to be monitored to identify if this is the intention for the botnet.

Observations of the infection rate have indicated the following:

  • One of the Command & Control Servers has over 2 million vulnerable devices waiting to be infected
  • One Command & Control Server was seen to be controlling 20,000+ infected devices
  • Number of simultaneous on-line bots controlled by a single Command & Control server was 4,000+

Threat updates

Date Update
10 Apr 2018

A report has been released detailing how Reaper was used to compromise a number of financial sector organisations in January 2018. It appears that Reaper is now able to perform distributed reflection denial-of-service (DRDoS) and DNS amplification attacks.

Remediation steps

Type Step
An organisation can help to protect themselves in the event of a DDoS incident by considering the following recommendations:
• The use of a third party DDoS mitigation tool.
• Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
• Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

Last edited: 17 February 2020 11:37 am