Gucci botnet infects IoT devices in Europe

Gucci botnet infects IoT devices
Written by Valdis Koks

Researchers at SecNiche Security Labs have discovered a previously unknown Gucci botnet that infects and uses IoT devices to conduct DDoS attacks.

According to experts, the creators of the malware, based on which the botnet is built, continue to refine it.

The new malware can conduct both targeted and widespread attacks, hitting devices based on architectures such as ARM, x86, MIPS, PPC, M68K.

“Called Gucci, the same as the Italian luxury brand of fashion and leather goods, the botnet appears to be new and previously undocumented”, — security researchers Aditya K. Sood and Rohit Bansal told.

Each bot communicates with the management server on TCP port 5555 (Telnet). Attackers obfuscated the code to make it harder for security professionals to investigate Gucci. In addition, they cleared the program of debug symbols, thus decreasing weight of a program.

Experts tracked the source of infection to a server in the Netherlands. When they tried to connect to the command host, he requested credentials. Specialists were able to crack the protection and gained access to the control panel. Soon after, the malware operators detected an intrusion, disconnected the Telnet communication service and tried to erase the traces of their activity.

This did not stop researchers from learning more about the features of Gucci. A botnet can conduct various DDoS attacks, including UDP flood, SYN flood, and others. Gucci is currently target oriented in European countries.

“The botnet operator was found to be very proactive. The whole analysis and obtaining C&C access was like an arms race. At the moment, the botnet seems to be in its early stages of development and it appears to be targeting the European continent”, — the security researchers note.

Gucci added to a considerable list of malicious bots that have been noted in cyber campaigns in recent months.

In September, experts found that the Smominru crypto jacker, known since 2017, infects several thousand devices a day, and Emotet resumed attacks after a three-month break. Earlier it became known about the next update of Echobot, after which the number of exploits used by it exceeded 60.

Read also: Cybercriminals deliver backdoor to victims’ computers with NVIDIA driver

In some cases, law enforcement agencies manage to prosecute the operators of such malware. Therefore, in March, in the Netherlands, a trial was held over a 20-year-old cybercriminal who used a Mirai-based botnet to conduct DDoS attacks. He explained his actions by a lack of pocket money.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment