Hoaxcalls, a new DDOS botnet, is actively exploiting two vulnerabilities which have wide exposure in environments around the world. These same vulnerabilities are also actively being exploited in additional attacks. Unfortunately, they are also easily exploited and lead to remote code execution.
Just as the proof-of-concept (PoC) for CVE-2020-8515 was released in March, a new DDoS botnet began to exploit this vulnerability for propagation. The DDoS botnet can also propagate by exploiting CVE-2020-5722. The attack traffic has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. Both CVE-2020-8515 and CVE-2020-5722 have a critical rating (9.8 out of 10) because they are easy to exploit. Successful exploitation means the attacker can execute arbitrary commands on the vulnerable device. With such attacks, IoT devices are a growing target for attackers.
The malware “Hoaxcalls” is built on the Gafgyt/Bashlite malware family codebase, and is capable of launching a variety of DDoS attacks based on the C2 commands received. In addition to its advanced DDoS capabilities, Hoaxcalls also exploits the said vulnerabilities for propagation. The bot then connects to its C2 server 178[.]32[.]148[.]5 on TCP port 1337 over IRC. The C2’s IRC channel is #hellroom. The nick, ident, and user are strings with length 13 that always start with XTC|, followed by 9 random characters. The following figure shows the bot’s C2 communication with its C2 server over IRC.
The first incident of CVE-2020-8515 exploitation occurred on March 31, 2020. In addition to this attack, several bots’ attempt to propagate by exploiting CVE-2020-5722 were also caught. In the case of CVE-2020-8515 exploitation, the threat actor attempted to download a shell script to the tmp directory, and execute the downloaded script. In the case of CVE-2020-5722 exploitation, the payload only downloads an arm7 binary and executes it.