Security News > 2021 > March > New ZHtrap botnet malware deploys honeypots to find more targets
A new botnet is hunting down and transforming infected routers, DVRs, and UPnP network devices into honeypots that help it find other targets to infect.
Once it takes over a device, it prevents other malware from re-infecting its bots with the help of a whitelist that only allows already running system processes, blocking all attempts to run new commands.
ZHtrap bots use a Tor command-and-control server to communicate with other botnet nodes and a Tor proxy to conceal malicious traffic.
The botnet's main capabilities include DDoS attacks and scanning for more vulnerable devices to infect.
To propagate, ZHtrap uses exploits targeting four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and a long list of CCTV-DVR devices.
ZHtrap's most interesting feature is how it turns infected devices into honeypots to collect IP addresses of more targets likely vulnerable to its propagation methods or already infected by other malware.