Skip to main content

ZHtrap Botnet

Loosely based on the Mirai botnet, ZHtrap is a newly observed worm and associated botnet targeting a wide range of SO/HO and IoT devices.

Threat ID:
CC-3793
Category:
Botnet, Worm
Threat Severity:
Low
Threat Vector:
Exploit, Insecure network
Published:
18 March 2021 1:44 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Loosely based on the Mirai botnet, ZHtrap is a newly observed worm and associated botnet targeting a wide range of SO/HO and IoT devices.

Affected platforms

The following platforms are known to be affected:

Small Office/Home Office and IoT devices

Threat details

Introduction

First observed in early 2021, ZHtrap is a worm and botnet based on the older Mirai source code. Much like other Mirai clones, it targets a wide range of Small Office/Home Office (SOHO) and Internet-of-Things (IoT) devices.

Delivery and activities

Zhtrap identifies new devices to propagate to by scanning randomly generated IP addresses before deploying four known exploits or a hard-coded Telnet password list against them. It will also use previously enrolled devices as honeypots, with any connecting IP addresses passed to its scanning module.

Once installed on a device, ZHtrap will connect to a botnet controller over a Tor node, with all traffic between itself and other devices relayed through another Tor proxy. 

At the time of publication, the ZHtrap botnet appears to only be used in small scale distributed denial-of-service (DDoS) attacks

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 107[.]189[.]30[.]190:1282
  • 107[.]189[.]30[.]190:2231
  • 139[.]99[.]134[.]95:9095
  • 142[.]93[.]247[.]244:9050
  • 144[.]217[.]243[.]21:9095
  • 147[.]135[.]208[.]44:9095
  • 167[.]114[.]185[.]33:9095
  • 198[.]245[.]53[.]58:9095
  • 46[.]101[.]61[.]9:9050
  • 51[.]178[.]54[.]234:9095
  • 51[.]79[.]157[.]89:9095
  • 66[.]70[.]188[.]235:9095

Domains

  • 0xdeadbeef[.]tw
  • h5vwy6o32sdcsa5xurde35dqw5sf3cdsoeewqqxmhoyzsvar4u6ooead[.]onion:8080
  • oemojwe5loscudytzfo273nkdvalf7mumctwcm42zyutoo6tpfjsphyd[.]onion:3000

URLs

  • 107.189.30[.]190/bins/z
  • oemojwe5loscudytzfo273nkdvalf7mumctwcm42zyutoo6tpfjsphyd.onion:8080/z

 

Host indicators

MD5 hashes

  • 5370e0b9484cb25fb3d5a4b648b5c203
  • 6c7cfbe0277e2ca0cbe7157cad7c663e
  • f1f70dc1274112ae5287ceb06f096d0e
  • 9dded61f7de47409bc00e74c0a12210e
  • 7b593fbbd6f81a3e9a2043a46949879d
  • ba17282481acca9636c5d01f5c2dd069

Last edited: 18 March 2021 3:10 pm