[Photo source : eWeek.com]

An IoT botnet called Hide N’ Seek that was originally unleashed on routers, IP cameras, and digital video recorders has now expanded its horizon to include cross-platform database solutions and smart home devices, according to Fortinet cybersecurity experts Rommel Joven, Kenny Yang, and David Maciejak.  

The Fortinet researchers claim the botnet was able to improve its capabilities due to the availability of the Mirai malware’s open source code which both served as an inspiration for the hackers that created the botnet and as an opportunity to lift some of the Mirai source code into the botnet. 

While the original version of the botnet that was detected in January 2018 used only two exploits, the botnet by March 2018 was changing its Xor keys almost every week, which prevented its configuration table from being deciphered. By April 2018, the botnet had been packed by UPX or Ultimate Packer for Executables, an open source executable packer that can be used with various file formats from different operating systems. 

The botnet was also observed to be persistent and cannot be eliminated by merely rebooting the infected machine. On the other hand, the hackers that authored the botnet are very cautious and deliberate, making sure that the latest iteration of the botnet is stable before adding more exploits. They see to it that the Xor key for the configuration table is also altered every time a new exploit is added, the Fortinet researchers had discovered. 

The latest exploit to be added to the botnet is the HomeMatic Zentrale CCU2 remote code execution, whose proof-of-concept was published of the Apache CouchDB RCE. The HomeMatic Zentrale CCU2 is the central element of smart home systems developed by the German conglomerate eQ-3. 

Since it was originally released, the Hide N’ Seek botnet has undergone eight revisions and currently has nine exploits.