Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices
هادي هي الترجمة ديال المقال لـ "الدارجة" المغربية:
The Rise of Masjesu: New Stealthy IoT Botnet Emerges as DDoS-for-Hire Service
TL;DR: Researchers have identified a stealthy new botnet named Masjesu (also known as XorBot). Operating as a DDoS-for-hire service advertised via Telegram, it targets a wide range of IoT devices while using deliberate evasion tactics—such as avoiding U.S. Department of Defense IP ranges—to maintain a low profile and ensure long-term survival.
Cybersecurity researchers have uncovered a sophisticated botnet designed for high-impact Distributed Denial-of-Service (DDoS) attacks. Known as Masjesu, the botnet has been active since 2023, positioning itself as a commercial "DDoS-for-hire" service. Unlike many botnets that aim for maximum infection numbers regardless of the noise they create, Masjesu is built for persistence and tactical invisibility.
Strategic Evasion and Persistence
According to a recent report from Trellix security researcher Mohideen Abdul Khader F, Masjesu prioritizes a "low-key" execution strategy. To ensure it remains under the radar of global law enforcement and major security agencies, the malware is programmed to deliberately avoid blocklisted IP ranges, specifically those belonging to the U.S. Department of Defense (DoD).
By avoiding high-profile targets that could trigger significant legal repercussions, the botnet’s operators—linked to an individual or group known as "synmaestro"—hope to maintain their infrastructure for as long as possible.
Evolution from XorBot
The botnet is also tracked under the moniker XorBot, a name derived from its heavy use of XOR-based encryption to hide its internal strings, configurations, and payload data.
Initially documented by Chinese security firm NSFOCUS in late 2023, the botnet has evolved rapidly. Over the past year, it has integrated at least 12 different command injection and code execution exploits. These exploits target a massive variety of IoT hardware, including routers, cameras, DVRs, and NVRs from major manufacturers such as:
- D-Link, TP-Link, and NETGEAR
- Huawei and Intelbras
- Realtek (specifically targeting port 52869)
- Eir, GPON, MVPower, and Vacron
Technical Workflow: Direct Access and Self-Propagation
Once a device is compromised, Masjesu follows a specific technical chain of command:
- Socket Binding: The malware creates and binds a socket with a hard-coded TCP port (55988). This allows attackers to connect directly to the infected device.
- Self-Termination: If the initial socket binding fails, the malware immediately kills its own process to avoid detection.
- Monopolizing Resources: Upon success, it sets up persistence, ignores termination signals, and kills common processes like
wgetandcurl. This is likely a defensive move to prevent competing botnets from using the same device. - C2 Communication: The malware connects to an external command-and-control (C2) server to receive DDoS instructions.
- Self-Propagation: The botnet includes a module to scan random IP addresses for open ports, allowing it to automatically spread to new vulnerable devices.
A Global Threat Originating in Vietnam
Masjesu is currently being marketed via Telegram to "customers" looking to take down content delivery networks (CDNs), game servers, and corporate enterprises.
While its impact is global, researchers have observed that a significant portion of its traffic originates from specific regions. Vietnam accounts for nearly 50% of the observed botnet traffic, followed by:
- Ukraine
- Iran
- Brazil
- Kenya
- India
Conclusion
Masjesu represents a growing trend in the cybercrime-as-a-service (CaaS) ecosystem: the professionalization of botnets. By leveraging social media for recruitment and employing "smart" evasion techniques to avoid the eyes of the law, Masjesu demonstrates that today’s IoT threats are becoming more calculated, resilient, and commercially accessible than ever before.
As the botnet continues to add new modules and exploits, the importance of securing edge devices like routers and DVRs remains a critical priority for both consumers and enterprises.
Source: The Hacker News - Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices
