HEH ☣️Disk Wiping botnet

Researchers discovered a new botnet, tracked as HEH, that contains the code to wipe all data from infected systems, such as routers, IoT devices, and servers.

Experts noticed that the malware supports multiple CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC, it is written in the Go open-source programming language.

The botnet targets systems with SSH ports (23 and 2323) exposed online by launching brute-force attacks.

Upon gaining access to the device, the bot downloads one of seven binaries that install the HEH malware.

The analysis of the HEH Bot revealed that it contains three functional modules: propagation module, local HTTP service module and P2P module.

Experts pointed out that the bot doesn’t contain any offensive features, such as the ability to launch DDoS attacks or to mine cryptocurrency, a circumstance that suggests the malware is under development.

“At present, the most useful functions for the entire Botnet are to execute Shell commands, update Peer List and UpdateBotFile. The Attack function in the code is just a reserved empty function, and has not been implemented. It can be seen that the Botnet is still in the developement stage.

The function for parsing Bot Cmd in Bot is main.executeCommand(), the most notable feature noticed by the experts it related to a cmd with code number 8. When the bot will receive this command it will try to wipe out the content of the disks through a series of Shell commands.

The malware is able to wipe content from home routers, Internet of Things (IoT) smart devices, and Linux servers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s