HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. This botnet has been active since October 2020 and has been spotted targeting routers, servers, and IoT devices. It can also infect weakly-secured infrastructure such as Telnet ports, Windows systems, etc. However, it only works on NIX platforms.
Modus operandi
- The botnet is disseminated by launching brute-force attacks on exposed SSH ports (23 and 2323).
- The device then downloads one of seven binaries that install the HEH malware which can further be executed on CPU architectures x86(32/64), ARM (32/64), MIPS(MIPS32/MIPS-III), and PPC.
- Its main function allows attackers to run Shell commands on the compromised device. This ensures devices stay infected and controls them to perform SSH brute-force attacks across the internet to amplify the botnet attack intensity.
- Another feature allows it to wipe data, but it doesn’t have the ability to launch DDoS attacks, install crypto-miners, or code to run proxies and relay traffic for threat actors.
Impact
Technical Impact
- Unauthorized access to filesystem and operating system functionalities.
- Confidentiality of data is lost as script commands to delete the data.
Business Impact
- Compromising of users information leads to loss of trust and reputation.
- If data recovery is not possible, it could result in financial loss.
Mitigation
- Regular monitoring of logs.
- Checking privileges and permissions allotted to users.
- Using firewalls for filtering traffic.
- Securing ports with complex passwords.
- Using antivirus software.
Indicators of Compromise (IOCs)
SHA-1
- eff1ce72eddc9de694901f410a873a9d1ed21339
- 6fa68865f1a2ddd1cf22f1eba583517c05b6f6c3
MD5
- 43de9c5fbab4cd59b3eab07a81ea8715
- 6c815da9af17bfa552beb8e25749f313
- 984fd7ffb7d9f20246e580e15fd93ec7
- 4c345fdea97a71ac235f2fa9ddb19f05
- 6be1590ac9e87dd7fe19257213a2db32
- bd07315639da232e6bb4f796231def8a
- c1b2a59f1f1592d9713aa9840c34cade
- c2c26a7b2a5412c9545a46e1b9b37b0e
- 66786509c16e3285c5e9632ab9019bc7
SHA-256
- d302749a080dd73e25673560857495ba14fa382857f64d26138acb044e2d9242
- 4f9b895a2785f9788fcae8743ab04a24b62e0962b1f8a28dc1206c52327b7916
Filename
- wpqnbw[.]txt
Domains
- pomf[.]cat