A previously unknown cybercrime syndicate named 'Bigpanzi' has been making significant money by infecting Android TV and eCos set-top boxes worldwide since at least 2015.
Beijing-based Qianxin Xlabs reports that the threat group controls a large-scale botnet of approximately 170,000 daily active bots. However, the researchers have seen 1.3 million unique IP addresses associated with the botnet since August, most in Brazil.
Bigpanzi infects the devices via firmware updates or backdoored apps the users are tricked into installing themselves, as highlighted in a September 2023 report by Dr. Web.
Malicious apps carrying malware payloadsSource: Xlabs
The cybercriminals monetize these infections by turning the devices into nodes for illegal media streaming platforms, traffic proxying networks, distributed denial of service (DDoS) swarms, and OTT content provision.
Bigpanzi operations diagramSource: Xlabs
Bigpanzi's custom malware
Xlabs' report focuses on 'pandoraspear' and 'pcdn,' two malware tools used by Bigpanzi in their operations.
The two malware payloads on the malicious firmware imageSource: Xlabs
Pandoraspear acts as a backdoor trojan, hijacking DNS settings, establishing command and control (C2) communication, and executing commands received from the C2 server.
The malware supports a variety of commands that allow it to manipulate DNS settings, initiate DDoS attacks, update itself, create reverse shells, manage its communication with the C2, and execute arbitrary OS commands.
Establishing a reverse-shell on an infected deviceSource: Xlabs
Pandoraspear uses sophisticated techniques like modified UPX shell, dynamic linking, OLLVM compilation, and anti-debugging mechanisms to evade detection.
Pcdn is used to build a peer-to-peer (P2P) Content Distribution Network (CDN) on infected devices and possesses DDoS capabilities to weaponize devices.
Pcdn's built-in DDoS toolsetSource: Xlabs
