Pink Botnet… And It’s too Pink

A huge botnet, tracked as Pink, that already infected over 1.6 million devices. The botnet was created to launch DDoS attacks and to insert advertisements in the legitimate HTTP traffic of the victims, most of which are in China (96%).

Pink is the largest botnet they have observed in the last six years. The number of infected devices is impressive, researchers have observed 1,962,308 unique daily active IPs from the Pink botnet targeting its systems.

The botnet leverages a robust architecture based on a combination of third-party services, P2P, and Command & Control servers. This architecture was implemented to make the botnet resilient to takedowns by law enforcement and security firms with the support of the vendors of the infected devices.

Every time a vendor made some attempts to address the problem, the botmaster pushed out multiple firmware updates on the fiber routers to maintain their control.

Pink also adopts the DNS-Over-HTTPS (DoH) for the distribution of configuration information that’s done either via a project hidden on GITHUB or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.

Threat actors leverage a zero day attack aimed at broadband devices of specific brands. The impacted devices were mainly provided to North China and Northeast China, with most of the installs in Beijing.

Unlike other botnets, the Pink malware is only able to target the MIPS architecture used by the above devices.

The Pink botnet supports the following set of commands:

1. File download
2. System command execution
3. DDoS attacks
4. Scan
5. Report device information
6. Self-update
7. P2P node list synchronisation
8. Http message injection
9. Sock5 proxy service
10. Download the file and execute
11. Stop the attack
12. Reset watchdog

Indicators of Compromise

• http:// 140.82.53.129/client_l FR 5c322610e1845d0be9ccfc8a8b6a4c4f
• http:// 155.138.140.245/client_ l CA 5c322610e1845d0be9ccfc8a8b6a4c4f
• http:// 95.179.238.22/client_l NL 5c322610e1845d0be9ccfc8a8b6a4c4f
• http:// 209.250.247.60/client_b GB 5c322610e1845d0be9ccfc8a8b6a4c4f
• http:// 209.250.247.60/client_l GB 7608b24c8dcf3cd7253dbd5390df8b1f