Evasive Masjesu DDoS Botnet Targets IoT Devices

Trellix has dived into the inner workings of Masjesu, a botnet built for distributed denial-of-service (DDoS) attacks that has infected a variety of IoT devices.

Masjesu has been active since at least 2023, with its operator mainly advertising it on Telegram as capable of launching DDoS attacks of hundreds of gigabytes in magnitude.

The operator’s posts target both Chinese and English-speaking users, “suggesting that their services continue to target both Chinese and US customers,” Trellix says.

Currently, the operator’s Telegram channel has over 400 subscribers, but the botnet’s userbase appears larger, as an initial channel promoting the botnet was closed by the platform for policy violations.

Most of the devices ensnared by Masjesu are in Vietnam, an analysis of attack source countries shows. However, the botnet has also infected numerous devices in Brazil, India, Iran, Kenya, and Ukraine.

“The data strongly suggests a distributed attack originating from multiple ASNs. This indicates the involvement of various networks, rather than the botnet being exclusively hosted on a single Virtual Private Server (VPS) provider,” Trellix notes.

Recently analyzed Masjesu samples show it can target multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64.

The botnet spreads through vulnerabilities in D-Link routers, GPON routers, Huawei home gateways, MVPower DVRs, Netgear routers, UPnP services, and other IoT devices.

On the infected devices, the malware binds a socket with a hardcoded TCP port to provide operators with remote access and hardens itself for persistence.

The malware stores sensitive strings – including command-and-control (C&C) domains, ports, folder names, and process names – encrypted in a lookup table and decrypts them at runtime.

To achieve persistence, Masjesu starts by forking a new process and renaming its original executable path to mimic the path and function of a legitimate Linux dynamic linker.

It then creates a cron job to run the renamed executable every 15 minutes, converts the process into a background daemon, and renames it to appear as a legitimate system component.

The malware also terminates commonly used processes, such as wget and curl, and locks down shared temporary folders, likely to prevent infections from other botnets. To spread, it scans random IP addresses on the internet to find vulnerable devices it can infect.

Masjesu uses multiple C&C domains and fallback IPs, configures a 60-second receive timeout on the socket connection to the C&C, and decrypts received data client-side.

Based on the data received from the server, the botnet can launch various types of DDoS attacks, including UDP, TCP, VSE, GRE, RDP, OSPF, ICMP, IGMP, TCP_SYN, TCP-ACK, TCP-ACKPSH, and HTTP floods.

Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation

Related: 174 Vulnerabilities Targeted by RondoDox Botnet

Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet

Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience