Trellix has conducted an in-depth analysis of the Masjesu botnet, a network designed for executing distributed denial-of-service (DDoS) attacks, which has compromised various Internet of Things (IoT) devices.
Masjesu’s Operations and Reach
Active since at least 2023, Masjesu’s operator markets the botnet on Telegram, promoting its capability to execute DDoS attacks with bandwidths reaching several hundred gigabytes. The operator’s messages cater to both Chinese and English-speaking audiences, indicating that their services are intended for users in both China and the United States, according to Trellix.
Although the Telegram channel associated with the botnet currently boasts over 400 subscribers, the actual user base may be more extensive. An earlier channel endorsing the botnet was shut down due to policy breaches.
Global Impact and Infection Spread
Masjesu predominantly targets devices in Vietnam, yet its reach extends to Brazil, India, Iran, Kenya, and Ukraine. Trellix’s data underscores a decentralized attack pattern involving multiple autonomous systems, rather than a single virtual private server hosting the botnet.
The malware has been found to affect multiple device architectures, such as i386, MIPS, ARM, SPARC, PPC, 68K, and AMD64. It utilizes vulnerabilities present in D-Link routers, GPON routers, Huawei home gateways, MVPower DVRs, Netgear routers, UPnP services, and other IoT devices to propagate.
Technical Functionality and Security Concerns
On compromised devices, the malware opens a socket with a preset TCP port, granting operators remote access while ensuring its persistence. It encrypts critical strings, including command-and-control domain names, ports, and process names, and decrypts them during operation.
Masjesu maintains itself by creating a cron job that runs the renamed executable every 15 minutes, converting it into a background process disguised as a legitimate system component. It also disables common processes like wget and curl to avert interference from other malware and scans the internet for vulnerable targets.
The botnet employs multiple command-and-control domains and fallback IPs, setting a 60-second timeout for communications. It can execute diverse DDoS attacks, such as UDP, TCP, VSE, GRE, RDP, OSPF, ICMP, IGMP, TCP_SYN, TCP-ACK, TCP-ACKPSH, and HTTP flood attacks.
As cybersecurity threats evolve, understanding the mechanisms and impacts of botnets like Masjesu remains crucial for developing effective defenses and safeguarding IoT ecosystems.
