Pink botnet was discovered with more than 1.6 million devices infected

Pink Botnet

Cybersecurity researchers from Netlab 360 disclosed details of what they say is the “largest botnet” discovered in the last six years, infecting over 1.6 million devices, mostly located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users.

Mainly targeting MIPS-based fiber routers, the botnet leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications, not to mention completely encrypting the transmission channels to prevent the victimized devices from being taken over.

The name comes as the sample analyzed contained a large number of function names starting with “pink”, so the discovery team decided to name it pink botnet. The researchers said that Pink code raced with the vendor to retain control over the infected devices, while vendor made repeated attempts to fix the problem, the bot master noticed the vendor’s action also in real time, and made multiple firmware updates on the fiber routers correspondingly.

Pink has also been found adopting DNS-Over-HTTPS (DOH), a protocol used for performing remote Domain Name System resolution via the HTTPS protocol, to connect to the controller specified in a configuration file that’s either delivered either via GitHub or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.

pink botnet distribution github

More than 96% of the zombie nodes part of the “super-large-scale bot network” were located in China, with the threat actor breaking into the devices to install malicious programs by taking advantage of zero-day vulnerabilities in the network gateway devices. Although a significant chunk of the infected devices has since been repaired and restored to their previous state as of July 2020, the botnet is still said to be active, comprising about 100,000 nodes.

With nearly 100 DDoS attacks having been launched by the botnet to date, the findings are yet another indication as to how botnets can offer a powerful infrastructure for bad actors to mount a variety of intrusions. “Internet of Things devices have become an important goal for black production organizations and even advanced persistent threats (APT) organizations,” NSFOCUS researchers said. “Although Pink is the largest botnet ever discovered, it will never be the last one.”

More info:

Pink, a botnet that competed with the vendor to control the massive infected devices