The Expanding Botnet Empire: Bigpanzi’s Global Grip on 170,000 Devices
The Beijing-based company Qianxin Xlabs has issued a warning that since 2015, the hacker group Bigpanzi has been infecting Android TVs and eCos set-top boxes with malware across the globe. It is believed that the group currently controls a substantial botnet, comprising approximately 170,000 devices that are active daily.
It is known that Bigpanzi infects devices through firmware updates or applications installed by users themselves. This threat is under the identifier Android.Pandora was discussed by analysts from Doctor Web as early as the autumn of 2023, who have been monitoring it.
The hackers monetize the infected devices, transforming them into nodes for illegal streaming platforms, proxying traffic, launching DDoS attacks, and distributing OTT content.
In the Qianxin Xlabs report, pandoraspear and pcdn are examined — two malicious tools used by Bigpanzi. Pandoraspear acts as a backdoor trojan, altering DNS settings to establish communication with a controlling server, and can execute commands received from operators.
The malware supports numerous commands, allowing it to manipulate DNS settings, initiate DDoS attacks, update itself, create reverse shells, manage communication with the controlling server, and execute arbitrary commands.
It’s noted that Pandoraspear employs a modified UPX Shell, dynamic linking, OLLVM compilation, and various anti-debugging mechanisms to evade detection.
Pcdn, in turn, is used to create a P2P content distribution network (CDN) on the infected devices and possesses capabilities for conducting DDoS attacks.
Chinese researchers have gained insights into the size of the botnet by capturing two C&C domains of the group and observing them over a week. Analysts report that at peak times, the Bigpanzi botnet comprises up to 170,000 active bots, and since last August, has been associated with more than 1.3 million different IP addresses, the majority of which are located in Brazil.
Given that compromised devices are not always active simultaneously, and researchers’ capabilities were limited, it’s presumed that the actual size of the botnet is much larger.
“Over the past eight years, Bigpanzi has been operating covertly, silently amassing wealth from the shadows. With the progression of their operations, there has been a significant proliferation of samples, domain names, and IP addresses. Over these years, these have accumulated in substantial numbers. Moreover, due to the reuse of code and infrastructure, there are complex connections between the samples, domain names, and IP addresses,” conclude the experts.