A new and growing botnet called Reaper or Troop (detected by Trend Micro as ELF_IOTREAPER.A) has been found currently affecting more than one million organizations. According to the security researchers from Check Point and Qihoo 360 Netlab, the botnet they discovered is more sophisticated and potentially more damaging than Mirai. Reaper actually uses some of the code from the Mirai malware but uses a different method for compromising devices.
Mirai generally scanned open ports or took advantage of unsecured devices with default or weak passwords. Reaper is more aggressive, using exploits to take over devices and enlist these with their command and control server. Reports note that there are already millions of devices just on standby, waiting to be processed by Reaper’s C&C servers.
Reaper uses a combination of nine attacks targeting known Internet of Things (IoT) vulnerabilities. These attacks affect many popular router brands as well as IP cameras, Network Attached Storage devices, and servers.
So far the Reaper botnet hasn’t been used to launch a DDoS attack, as Mirai famously did last year. But Reaper is capable of more complex attacks. It integrates a LUA (a lightweight programming language typically used for embedded systems) execution environment in the malware. This allows the operator to deliver code modules for tasks such as DDoS, traffic proxying or other attacks. The report notes that the botnet is not particularly aggressive, but it could quickly change and potentially cause damage on an even larger scale than Mirai.
Source: Trend Micro