Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

Cybersecurity researchers have uncovered a stealthy botnet named Masjesu, designed specifically for executing distributed denial-of-service (DDoS) attacks. This botnet has been marketed as a DDoS-for-hire service on Telegram since its emergence in 2023. It targets a broad spectrum of Internet of Things (IoT) devices, including routers and gateways, across various architectures. The botnet is built for persistence and low visibility, favoring a cautious approach to execution to ensure long-term survival by avoiding blocklisted IP ranges, such as those belonging to the Department of Defense. Masjesu, also known as XorBot due to its use of XOR-based encryption, was first documented by the Chinese security vendor NSFOCUS in December 2023. The botnet is linked to an operator named "synmaestro." A later version of the botnet, observed a year after its initial discovery, incorporated 12 different command injection and code execution exploits. These exploits target devices from manufacturers like D-Link, Huawei, and NETGEAR, among others, to gain initial access and have added new modules for conducting DDoS flood attacks. According to NSFOCUS, XorBot has shown significant growth, continuously infiltrating new IoT devices. The botnet's controllers increasingly use social media platforms like Telegram for recruitment and promotion, attracting customers through active promotional activities. This strategy has laid a strong foundation for the botnet's expansion and development, highlighting its emerging status in the botnet landscape. Recent findings from Trellix indicate that Masjesu is capable of executing volumetric DDoS attacks, leveraging its diverse botnet infrastructure to target content delivery networks, game servers, and enterprises. The attacks primarily originate from countries such as Vietnam, Ukraine, and India, with Vietnam accounting for nearly half of the observed traffic. This geographic distribution underscores the botnet's extensive reach and operational scope. Once deployed on a compromised device, Masjesu creates and binds a socket with a hard-coded TCP port to enable direct attacker connections. If this operation fails, the attack chain is terminated immediately. Otherwise, the malware establishes persistence, ignores termination signals, stops commonly used processes like wget and curl, and connects to an external server to receive DDoS attack commands. Masjesu also features self-propagating capabilities, allowing it to scan random IP addresses for open ports and incorporate successfully compromised devices into its network. A notable addition to its list of targets includes Realtek routers, which it exploits by scanning for a specific port associated with the Realtek SDK's miniigd daemon. This approach has been used by other DDoS botnets such as JenX and Satori in the past. Trellix notes that Masjesu continues to expand by infecting a wide range of IoT devices across multiple architectures and manufacturers. The botnet strategically avoids targeting sensitive critical organizations that could attract significant legal or law enforcement attention, a tactic that likely enhances its long-term survivability. This careful targeting approach, combined with its robust infrastructure, positions Masjesu as a formidable player in the DDoS-for-hire market.