Evolution of Hoaxcalls
Over the last several months, Radware researchers have been monitoring the evolution of the Mirai XTC campaign and the development of the Hoaxcalls Botnet.
Read the Complete Alert
Over the last several months, Radware researchers have been monitoring the evolution of the Mirai XTC campaign and the development of the Hoaxcalls Botnet. Hoaxcalls is an IoT variant based off source code from the Tsunami and Gafgyt Botnets. The Hoaxcalls Botnet was first disclosed by Unit 42, Palo Alto Network’s Research Division, on April 3, 2020 and has been seen propagating via CVE-2020-8515 and CVE-2020-5722.
On April 20, 2020, Radware researchers discovered a new variant of the Hoaxcalls Botnet spreading via an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager. The series of vulnerabilities impacting ZyXEL were published in full disclosure by Pierre Kim on March 9, 2020. In addition to a new vector of propagation, the Hoaxcall Botnet also added 16 DDoS attack vectors in the new sample.
On April 3, 2020, Palo Alto Networks research division, Unit42, published a report1 disclosing a new variant of the Gafgyt/Bashlite family, Hoaxcalls. Samples of the Palo Alto Networks report can be found on
URLhaus. This botnet was first observed by Unit 42 on March 31st, 2020 and was given the name Hoaxcalls due to the domain used to host its malware, Hoaxcalls.pw. Note, this domain, now suspended, was registered on November 1st, 2019.
The variant of the Hoaxcalls Botnet seen by Unit 42, was observed propagating through a DrayTek Vigor2960 Remote Code Execution vulnerability in URI ‘cgi-bin/mainfunction.cgi’ (CVE-2020-8515) and a GrandStream Unified Communication remote SQL injection vulnerability through HTTP (CVE-2020-5722). The HTTP exploits performed by the botnet use a common User-Agent header value ‘XTC’.
Unit 42 also noted the nick, ident and user strings for the IRC command and control communications started with ‘XTC|’. One of the strings in the sample included the phrase ‘hubnr and vbrxmr was here’. Other strings included were ‘Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS’ and ‘developed and completed by viktor sanchez. contact me on jabber under firstname.lastname@example.org for botnet services.’ The Unit 42
sample of Hoaxcalls featured three DDoS attack vectors: UDP, DNS and HEX flood.