Echobot has evolved with a new variant that uses 77 remote code execution exploits. The 77 exploits in the current version are for products ranging from routers, IP cameras, VoIP phones, presentation systems, smart home hubs, software, data analytics platforms, biometric scanners,network-attached storage systems, thermal cameras, etc. The latest campaign had Echobot delivered from 10 different devices that had been compromised, which sheds light on the propagation mechanism. The binaries, though, are hosted at a single IP address. The malware dropper is on an open server in a file called Richard.
The exploits integrate a list of over a decade’s security flaws in multiple products like IoT devices and enterprise apps, ranging from 2009 to 2019. Indicators of compromise are listed below.