Known as Hide 'N Seek, the botnet is built partly out of source code from the better-known Mirai botnet and gets some ideas from it, according to Fortinet's FortiGuard Lion Team researchers Rommel Joven, Kenny Yang and David Maciejak.
The ability to use various exploits had been added at various points in time, the trio said, with HNS having been first spotted in January this year.
Some of their findings were:
- The first HNS sample only used two exploits.
- From April onwards, HNS has been gradually adding exploits to its arsenal one at a time. HNS authors are careful to make sure that the version released is stable enough before embedding more exploits.
- Each time a new exploit is added the Xor key for the configuration table is also changed
- The latest added exploit to be added is HomeMatic Zentrale CCU2 RCE.
- In less than a week after the PoC was published of the Apache CouchDB RCE and HomeMatic Zentrale CCU2 RCE vulnerabilities, HNS was quickly to implement them into its code.
- The latest HNS sample uses nine exploits.
The exploit summary for HNS.
"The targeted device is the HomeMatic Zentrale CCU2. This is the central element of the HomeMatic system that provides a wide range of control, monitoring, and configuration options for all HomeMatic devices. This may be the moment when malware starts hacking your house."
They said with this new understanding of the malware's workings, they expected the next iterations to include more functionality and also target more exploits.
Graphic: courtesy Fortinet