How a botnet of 400,000 devices was controlled by LED light controller console

After rigorous investigation, the Microsoft Digital Crime Unit (DCU) malware reverse engineering team detected unusual behavior potentially associated with a new malware campaign. These suspicions were subsequently confirmed, leading to an unprecedented cybersecurity operation, in conjunction with police agencies in Taiwan.

DCU is one of the greatest efforts Microsoft has implemented to protect its customers and their IT resources by sharing all kinds of data about cyber threats in real time, collaborating with government organizations and private companies around the world. This team is responsible for monitoring millions of data per day, 24 hours a day, 7 days a week and 365 days a year.

This time, DCU malware reverse engineering experts detected an unusual increase in botnet-linked activity, which increased 100 times in less than a month. It should be remembered that a botnet is a network of computers and devices with Internet connection infected with the same variant of malware. After infection, threat actors are able to control these devices to perform various malicious tasks.

The Microsoft team managed to analyze more than 400,000 public IP addresses potentially linked to the botnet, of which it produced a sample of 90 suspicious addresses. From this sample, DCU detected something alarming: one of these IP addresses was associated with dozens of reports on activity related to malware distribution, phishing emails, ransomware attacks, and denial of service (DDoS) attacks.

Thanks to the information provided by the malware reverse engineering experts, Taiwanese law enforcement agencies began tracking this suspicious IP very effectively; after that, they discovered that the accounts behind this address sent malware payloads from a location in the north of the country.

Experts claim that these threat actors typically use compromised devices to launch these attacks. However, this campaign is associated with an LED light control console, a type of Internet of Things (IoT) device usually little used in this type of attack. By detecting the center of the attacks, authorities and the DCU interrupted their operation to prevent further attacks.

The International Institute of Cyber Security (IICS) states that the increase in malicious activity against IoT devices has increased unstoppably in Taiwan. These attacks are aimed at government institutions, technology companies and individuals, who are exposed to data theft, exposure of confidential information, identity fraud, among other malicious activities.