Some Fiberhome routers are being utilized as SSH tunneling proxy nodes

description: When we further looked into it, we realized it is a component of an IoT botnet targeting Fiberhome router. But it does not do the regular stuff such as DDos, Cryptojacking, Spaming, information stealing. Its’ only purpose is to setup the routers to be SSH tunneling proxy nodes. Also, unlike the typical botnets which try their best to infect as many victims as they can, this one has pretty much stopped looking for new bots after its’ active daily bot number reached low 200. It seems that the author is satisfied with the number which probably provides enough proxy service for whatever purpose he needs.

publish date:

reference :

IOC Table
total 6
type value
FileHash-MD5 f878143384b3268e4c243b0ecff90c95
FileHash-MD5 d361ec6c5ea4d0f09c9ee0fdf75d6782
FileHash-MD5 7478f835efc00ed60c2f62e0dd5baae3
FileHash-MD5 d13935ff515ffdb0682dfaad0f36419d
hostname www.gggwmndy.org
URL http://www.gggwmndy.org:30777/vpn.sh