Threat Research

How IoT Botnets Evade Detection and Analysis – Part 2

Securonix

IoT botnets are increasingly evading detection as attackers modify malware to hide from analysts, using UPX packing, ELF header changes, and other anti-analysis tricks. The study of 728 IoT samples collected from honeypots over 15 days also shows how attackers rely on C2 servers and open-source tools, with concrete IoCs provided for defenders—Nozomi Networks reports. #Kaiten #Tsunami #UPX #ELF #QEMU #NozomiNetworks #IoT

Keypoints

  • IoT devices remain attractive targets due to default credentials and poor maintenance/updating.
  • Researchers collected 728 IoT malware samples from honeypots over a 15-day window.
  • New evasion techniques include modifying UPX-packaged samples and altering ELF headers to complicate analysis.
  • Observed anti-analysis techniques are associated with Kaiten/Tsunami family behavior and protections like overlays and fake headers.
  • QEMU user-mode emulation is used to analyze ARM/MIPS IoT malware on x86 hosts, with caveats about altered behavior and potential damage if misused.
  • The report provides IoCs (three SHA-256 hashes) and practical defense recommendations (strong passwords, firewalls, antivirus, and monitoring for behavioral changes).

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – Malware modifications keep the file executable while thwarting analysis. “UPX!signatures had been overwritten by 0A 00 00 00 and the entry point was modified to start with a call instruction that pointed to the original entry point code.”
  • [T1497] Virtualization/Sandbox Evasion – Uses QEMU user-mode emulation to run IoT samples on x86 hosts, which can alter behavior and require isolated analysis. “we decided to use QEMU user-mode emulation.”
  • [T1203] Exploitation for Client Execution – Exploits vulnerabilities in IoT devices to run malware. “exploiting a variety of vulnerabilities in IoT devices.”
  • [T1071] Command and Control – Maintains control of compromised devices via C&C servers. “C&C servers to maintain control of compromised devices.”

Indicators of Compromise

  • [SHA-256] IoCs – 5befe5c9e0ca212361cd8f5a7490bcd358d721f2dd8644d70b0f81bbc3e3e307, 8b9bfe8d5d32d7218059fcd24660a15a177a4ee75670cc1af86b357d59903cc7, 9f07137bc6e4d7e58ea0fe22285599fd56d62f61141a2a745e2d6583c332c9a8

Read more: https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2/