HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. This botnet has been active since October 2020 and has been spotted targeting routers, servers, and IoT devices. It can also infect weakly-secured infrastructure such as Telnet ports, Windows systems, etc. However, it only works on NIX platforms.
- The botnet is disseminated by launching brute-force attacks on exposed SSH ports (23 and 2323).
- The device then downloads one of seven binaries that install the HEH malware which can further be executed on CPU architectures x86(32/64), ARM (32/64), MIPS(MIPS32/MIPS-III), and PPC.
- Its main function allows attackers to run Shell commands on the compromised device. This ensures devices stay infected and controls them to perform SSH brute-force attacks across the internet to amplify the botnet attack intensity.
- Another feature allows it to wipe data, but it doesn’t have the ability to launch DDoS attacks, install crypto-miners, or code to run proxies and relay traffic for threat actors.
- Unauthorized access to filesystem and operating system functionalities.
- Confidentiality of data is lost as script commands to delete the data.
- Compromising of users information leads to loss of trust and reputation.
- If data recovery is not possible, it could result in financial loss.
- Regular monitoring of logs.
- Checking privileges and permissions allotted to users.
- Using firewalls for filtering traffic.
- Securing ports with complex passwords.
- Using antivirus software.
Indicators of Compromise (IOCs)