Posted on November 2, 2021 at 5:05 PM

Netlab Security Discovers “Pink” Botnet Malware that Infected 1.6 Million Devices

New research from a cybersecurity firm has revealed the “largest botnet” attack. The researchers involved in this study stated that the botnet was discovered in the wild and has been operating over the past six years. The research states that the botnet has affected more than 1.6 million devices during the past six years that it has been in operation.

The research states that the devices affected during this attack were primarily based in China. The research stated that the attackers’ objectives behind this botnet were to launch a distributed denial-of-service (DDoS) attack and insert advertisements into HTTP websites that had been accessed by the unsuspecting victims.

Researchers Detect Pink Botnet

The research in question was conducted by Qihoo 360’s Netlab security team. The team stated that the malware in question was dubbed “Pink”. The research further stated that the first sample of this malware was collected on November 21, 2019. The researchers stated that this malware was dubbed the Pink botnet because of the high number of function names that started with the name “pink”.

The researchers stated that the main target of the malware was MIPS-based fibre routers. Its working mechanism uses a collection of third-party services and platforms, including GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers. These servers are used by the botnet to control communications.

In addition, the malware works by totally encrypting transmission channels. This prevents the targeted device from being reclaimed by its owners.

In the report published on October 29, the researchers stated that “Pink raced with the vendor to retain control over the infected devices, while vendor made repeated attempts to fix the problem, the bot master noticed the vendor’s action also in real-time, and made multiple firmware updates on the fibre routers correspondingly.”

However, the researchers failed to mention the vendor that was compromised during these attacks stating that they had first informed them at the beginning of 2020 and gave them time to fix the error before publishing their findings.

Since most of the affected devices hailed from China, the researchers stated that China’s Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC) was also involved in taking action that will help in solving the discovered botnet on the devices.

Surprisingly, the researchers also added that the Pink botnet was found to be using a DNS-Over-HTTPS (DoH) protocol. This is a protocol used to carry out remote Domain Name System resolutions. The resolutions are done using the HTTPs protocol, and they are used to link to the controller noted down in the configuration file.

The researchers further stated that the botnet also used the DoH protocol to link to the controller listed in a configuration file delivered via GitHub or through the Baidu Tieba. It was also delivered through a built-in domain name that was hard-coded into some of the collected samples.

Botnet Targeted Chinese Users

Over 96% of the zombie nodes used to conduct the “super-large-scale, bot network” attack were based in China. The results of this report were also confirmed through another independent report published by NSFOCUS, a cybersecurity company based in Beijing.

The two reports collaborated the findings that the threat actors were accessing the devices to install malicious programs by leveraging zero-day vulnerabilities. These vulnerabilities were located on the network gateway devices.

The publishing of this report also calls for more vigilance from institutions because the researchers noted that the malware was still active. It further stated that around 100,000 nodes of the malware were still active. However, the researchers stated that a wide range of the infected devices had already been repaired, and their services had been restored. 

The botnet has been used to launch around 100 DDoS attacks to date. This research shows that these botnets can be used to offer a powerful infrastructure that can be exploited by threat actors to launch attacks on devices.

“Internet of Things devices have become an important goal for black production organizations and even advanced persistent threats (APT) organizations,” the independent research stated. The researchers also noted that while this could be the largest botnet attack to be recorded, it would not be the last one.

“When evaluating the risks brought by botnets, we must not only figure out what hackers have done through botnets but also predict zombies. What the network may be used for in the future so that it can be calmly dealt with when threats come. We will pay close attention to the development of hacker technology and the trends of hacker organizations, in-depth study of the mechanism and characteristics of ultra-large-scale botnets, and continue to expose the potential harm of botnets,” NSFOCUS said.