A botnet made up of IoT devices is helping hackers mask attacks on web applications, acting as a relay point for SQL injection (SQLi), cross-site scripting (XSS), and local file inclusion (LFI) attempts.

The botnet is a veteran of the botnet scene, being named ProxyM and created using the Linux.ProxyM malware.

ProxyM active since February 2017

This botnet has been active since February 2017 and at one point in late May and early June, had reached a size of 10,000 infected devices.

Its operator(s) has targeted IoT devices running stripped-down Linux distros, and infected these devices with malware that only runs a simple SOCKS5 proxy.

In June, researchers spotted the botnet relaying basic HTTP traffic, but by September, the ProxyM operator changed tactics, and the botnet was being utilized to send emails as part of spam campaigns.

Also by that time, the botnet had gone down to only 4,500 – 5,000 devices, but that didn’t matter because a few thousand devices are more than needed for botnets that operate as proxy networks.

ProxyM changes tactics in mid-November

According to new research published last week by Dr.Web, the company that has been tracking all of ProxyM’s movements, the botnet has been repurposed again, and this time, ProxyM bots are used as relay points in attempts to exploit vulnerable websites and servers.

It is unclear if ProxyM’s owners are behind the attacks or if they are merely renting the botnet, but ProxyM bots have been sending between 10,000 and 35,000 requests per day, relaying exploitation attempts for SQLi, XSS, and LFI flaws.

Requests per day - ProxyM botnet

Dr.Web says victims include gaming-related servers,…

Continue ….