In a recent revelation, cybersecurity experts have unveiled the Masjesu botnet, a sophisticated tool used for orchestrating distributed denial-of-service (DDoS) attacks. This botnet, which emerged in 2023, has been actively promoted as a DDoS-for-hire service on platforms like Telegram, targeting various Internet of Things (IoT) devices including routers and gateways.
Origins and Characteristics of Masjesu Botnet
Masjesu is engineered for stealth and endurance, prioritizing covert operations over massive infections. It carefully avoids IP ranges associated with critical entities like the Department of Defense to prolong its lifespan. Known alternatively as XorBot, it employs XOR-based encryption to obscure its operations, as reported by Trellix security researcher Mohideen Abdul Khader F.
The botnet was initially documented by NSFOCUS, a Chinese security firm, in late 2023, linking it to the alias ‘synmaestro.’ Since then, Masjesu has evolved, incorporating numerous exploits to compromise devices such as routers and cameras from major brands like D-Link, Huawei, and NETGEAR.
Expansion and Recruitment Strategies
Masjesu’s growth is notable, with controllers increasingly leveraging social media for recruitment and marketing purposes. The botnet’s operators use platforms like Telegram to attract potential clients, establishing a solid base for future expansion. This strategy has significantly contributed to its widespread adoption and the continuous addition of new IoT devices under its control.
Recent insights from Trellix highlight Masjesu’s capability to perform volumetric DDoS attacks. This function is facilitated by its extensive botnet infrastructure, making it an ideal tool for targeting content delivery networks, gaming servers, and enterprise systems.
Operational Tactics and Global Reach
Masjesu predominantly operates from countries such as Vietnam, Ukraine, and Iran, with Vietnam alone responsible for about 50% of its activities. After infiltrating a device, the botnet establishes a connection through a hard-coded TCP port. If unsuccessful, the attack ceases immediately. Otherwise, the malware ensures persistence, disables rival processes, and connects to external servers for attack commands.
Furthermore, Masjesu is self-propagating, scanning random IP addresses for vulnerabilities and integrating compromised devices into its network. It has recently added Realtek routers to its exploitation targets, mimicking strategies used by other botnets like JenX and Satori.
The Masjesu botnet continues to expand its influence, infiltrating a diverse array of IoT devices across different manufacturers. By deliberately avoiding high-profile targets, it minimizes legal scrutiny, enhancing its long-term viability. As cybersecurity threats evolve, understanding and mitigating the risks associated with botnets like Masjesu is crucial for protecting global digital infrastructure.
