A previously unknown cybercrime syndicate named 'Bigpanzi' has been making significant money by infecting Android TV and eCos set-top boxes worldwide since at least 2015.
Beijing-based Qianxin Xlabs reports that the threat group controls a large-scale botnet of approximately 170,000 daily active bots.
The researchers have seen 1.3 million unique IP addresses associated with the botnet since August, most in Brazil.
Bigpanzi infects the devices via firmware updates or backdoored apps the users are tricked into installing themselves, as highlighted in a September 2023 report by Dr. Web.
The cybercriminals monetize these infections by turning the devices into nodes for illegal media streaming platforms, traffic proxying networks, distributed denial of service swarms, and OTT content provision.
Xlabs' report focuses on 'pandoraspear' and 'pcdn,' two malware tools used by Bigpanzi in their operations.
Pandoraspear acts as a backdoor trojan, hijacking DNS settings, establishing command and control communication, and executing commands received from the C2 server.
The malware supports a variety of commands that allow it to manipulate DNS settings, initiate DDoS attacks, update itself, create reverse shells, manage its communication with the C2, and execute arbitrary OS commands.
Pandoraspear uses sophisticated techniques like modified UPX shell, dynamic linking, OLLVM compilation, and anti-debugging mechanisms to evade detection.
Pcdn is used to build a peer-to-peer Content Distribution Network on infected devices and possesses DDoS capabilities to weaponize devices.
Xlabs gained insight into the botnet's scale after hijacking two C2 domains used by the attackers and conducting a seven-day observation.
The analysts report that the Bigpanzi botnet has 170,000 daily bots at peak times and has observed over 1.3 million distinct IPs since August.
Due to the compromised TV boxes not being simultaneously active at all times and the cybersecurity analysts' visibility limitations, it is considered inevitable that the botnet's size is larger.
Artifacts in the analyzed pcdn sample have led the Chinese researchers to a suspicious YouTube channel controlled by a company.
The Xlabs report has not disclosed any attribution details yet, presumably reserving those for the applicable law enforcement authorities.
FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials.
New Xamalicious Android malware installed 330k times on Google Play.
QNAP VioStor NVR vulnerability actively exploited by malware botnet.
Ten new Android banking trojans targeted 985 bank apps in 2023.
SpyLoan Android malware on Google Play downloaded 12 million times.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 17 Jan 2024 18:55:13 +0000