The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.
First detailed at the beginning of April, Hoaxcalls is based on source code from the Tsunami and Gafgyt botnets and has been targeting vulnerabilities in Grandstream UCM6200 series devices (CVE-2020-5722) and Draytek Vigor routers (CVE-2020-8515).
The botnet was designed to launch DDoS attacks using UDP, DNS and HEX floods, based on commands received from its command and control (C&C) server.
Over the past several weeks, a new version of the botnet was observed targeting an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager. The botnet also added 16 new DDoS capabilities to the existing list, Radware’s security researchers say (PDF).
A couple of weeks ago, the more potent variant of the botnet was spreading from a single server, but the number of hosting servers now exceeds 75.