Qihoo 360’s Netlab Cybersecurity researchers have discovered what they say “the largest botnet” observed in the wild in the last six years. Dubbed ‘Pink’, the botnet has infected over 1.6 million devices, 96% of which are located in China.
The name “Pink” comes from a botnet sample obtained by Netlab in November 2019, which contained a large number of function names starting with “pink.”
The botnet was created to launch DDoS attacks and to ins ert advertisements in the legitimate HTTP traffic of the victims. Pink targets mainly MIPS-based fiber routers and uses a combination of third-party services, P2P and central command-and-control servers for its’ bots to controller communications, and has complete verification of the C2 communications to ensure that the bot nodes will not be easily cut off or taken over.
“Pink raced with the vendor to retain control over the infected devices, while vendor made repeated attempts to fix the problem, the bot master noticed the vendor's action also in real time, and made multiple firmware updates on the fiber routers correspondingly,” the researchers revealed in a report.
Netlab also noticed that Pink adopts DNS-Over-HTTPS protocol, which is not common. The protocol is used for the distribution of configuration information via a project hidden on GitHub or Baidu Tieba, or a built-in domain name hard-coded in to some of the samples.
“Unlike other the botnets we commonly see, Pink will flash the original firmware of the fiber router after infecting it in order to maintain absolute controls. In the rewritten firmware, PinkBot's downloader c2 and the supporting bootloader are included,” the researchers said.
According to a separate report from Beijing-based cybersecurity company NSFOCUS, the threat actor behind the Pink botnet is taking advantage of zero-day vulnerabilities in the IoT devices to install malware.
“The Pink malware can be divided into three modules in terms of function: implantation, residency, and control. When the Pink malicious program is implanted in the device and runs, it will actively block the automatic upgrade channel of the device, which greatly increases the difficulty of emergency response and online repair, and the degree of harm is extremely high. Through in-depth analysis of the incident, we believe that this attack has exceeded the scope of botnets and is an advanced targeted attack,” the researchers said.