Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

Key Points:

• Masjesu is a newly identified DDoS-for-hire botnet targeting IoT devices, advertised via Telegram, and designed for stealth and persistence.
• The botnet primarily affects routers and gateways from various manufacturers, with attacks originating from countries like Vietnam, Ukraine, and Iran. It is capable of executing volumetric DDoS attacks against content delivery networks and enterprises.
• Recommended actions include monitoring network traffic for unusual patterns, implementing rate limiting on IoT devices, and ensuring firmware is up to date to mitigate exploitation risks.

Technical Details: Masjesu utilizes XOR-based encryption to conceal its operations and employs command injection exploits targeting multiple IoT device brands. The botnet operates on TCP port 55988 for command execution.

MITRE ATT&CK Techniques:

• T1203 - Exploit Public-Facing Application (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1499 - Endpoint Denial of Service (Impact)

IOCs Mentioned:

• TCP Port: 55988
• Port associated with Realtek SDK's miniigd daemon: 52869