{
	"id": "211503b9-224b-4ec9-af65-857e079a21d0",
	"created_at": "2026-04-10T03:19:55.981423Z",
	"updated_at": "2026-04-10T03:22:17.532576Z",
	"deleted_at": null,
	"sha1_hash": "e82b14ee714d919681d56c3c13771dc21e94ecf3",
	"title": "Bashlite Updated with Mining and Backdoor Commands",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84429,
	"plain_text": "Bashlite Updated with Mining and Backdoor Commands\r\nBy Mark Vicente, Byron Gelera, Augusto Remillano II, Chizuru Toyama, Jakub Urbanec ( words)\r\nPublished: 2019-04-03 · Archived: 2026-04-10 03:10:43 UTC\r\nWe uncovered an updated Bashlite malware designed to add infected internet-of-things devices to a distributed-denial-of-service (DDoS) botnet. Trend Micro detects this malware as Backdoor.Linux.BASHLITE.SMJC4,\r\nBackdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. Based\r\non the Metasploit module it exploits, the malware targets devices with the WeMo Universal Plug and Play (UPnP)\r\napplication programming interface (API).\r\nBashlite (also known as Gafgyt, Lizkebab, Qbot, Torlus, and LizardStresser) gained notoriety for its use in large-scale DDoS attacks in 2014, but it has since crossed overnews article to infecting IoT devices. In its previous\r\niterations, Bashlite exploited Shellshock to gain a foothold into the vulnerable devices. An attacker can then\r\nremotely issue commands — particularly, to launch DDoS attacks similar to the way it was used in 2016 — and\r\ndownload other files to the compromised devices.\r\nThis updated iteration of Bashlite is notable. For one, its arrival method is unique in that it doesn’t rely on specific\r\nvulnerabilities (e.g., security flaws assigned with CVEs). It instead abuses a publicly available remote-code-execution (RCE) Metasploit module.  It now also sports additional DDoS-related commands, and added new ones\r\nthat gave the malware cryptocurrency miningnews- cybercrime-and-digital-threats and backdoor capabilities. It\r\ncan also deliver malware that removes competing botnet malware.\r\nThe exploit used doesn’t have a list of targeted WeMo devices. It only needs to check if the device is enabled with\r\nthe WeMo UPnP API. The impact could be significant. WeMo’s home automation productsproducts, for instance,\r\nrange from internet-connected cameras, electrical plugs, and light switches and bulbs to motion sensors. It has a\r\nmobile application that uses the Wi-Fi network to wirelessly control IoT devices.\r\nWhile we have not seen significant detections for these versions of Bashlite, it’s worth noting that it’s already in\r\nthe wild, based on feedback from Trend Micro™ Smart Protection Network™. The detections, seen last March\r\n21, were observed in Taiwan, United States, Thailand, Malaysia, Japan, and Canada.\r\nWe disclosed our findings to Belkin. The company has since released an official statement regarding the\r\nvulnerabilities that the malware targets. “Belkin is committed to product and customer security. The vulnerability\r\ndescribed in this article was detected and remediated in 2015 for all affected devices.We strongly encourage\r\ncustomers to update their devices and mobile apps to obtain the latest security fixes.”\r\nintelFigure 1. Bashlite infection chain\r\nintel\r\nintel\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/\r\nPage 1 of 4\n\nFigure 2. Snapshot of code showing a network indicator (via Trend Micro™ Deep Discovery Inspectorproducts™)\r\nof the attack targeting devices with WeMo API (top), which is also in the Metasploit module (bottom)\r\nInfection chain\r\nSome of the Bashlite samples we analyzed appear to differ depending on the architectures they infect. These\r\nrecent Bashlite iterations use a Telnet scanner and brute force the device with these usernames and passwords:\r\nroot, 9615-cdp, admin, admin123, huigu309, xc3511, vizxv, and Dvrdvs.\r\nBashlite uses the scanner to find possible machines to infect. It will then send a dropper binary (XORred, with\r\nkey=0x54) to the vulnerable machine. Of note here is the way the binary dropper is supposed to retrieve and drop\r\nthe Hakai botnet malware, whose code is based on Bashlite and was seen targeting routers last year. However, the\r\nURL from which Hakai is supposed to be downloaded is no longer accessible. There are multiple dropper binaries\r\nembedded in Bashlite, designed for different architectures. Figure 3 shows how the embedded binaries are\r\nretrieved and dumped.\r\nAs part of its command-and-control (C\u0026C) communication, the binary dropper connects to\r\n178[.]128[.]185[.]250/hakai[.]x86. It also connects to 185[.]244[.]25[.]213:3437 for Bashlite’s backdoor routines.\r\nintel\r\nFigure 3. Screenshot showing how the Hakai malware is also supposed to be downloaded and executed on\r\nanother device\r\nintel\r\nintel\r\nFigure 4. Snapshots of code showing functions responsible for retrieving (top) and dumping (bottom) the\r\nembedded binaries\r\nBackdoor and DDoS capabilities\r\nThe most notable of Bashlite’s backdoor commands include simultaneously launching multiple types of DDoS\r\nfloods to a target as well as downloading and executing cryptocurrency-mining and bricking malware. It also has\r\ncode designed to circumvent a DDoS mitigation service.\r\nHere are some of Bashlite’s backdoor commands:\r\nPINGING: Similar to an internet relay chat (IRC) message; the malware replies with PONGING.\r\nECHOSCAN: Toggles the Telnet scanner.\r\nOELINUX: Similar to ECHOSCAN but targets embedded systems.\r\nCFBYPASS: Used to bypass a DDoS mitigation service\r\nintel\r\nintel\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/\r\nPage 2 of 4\n\nFigure 5. Snapshots of code showing the backdoor commands PINGING, ECHOSCAN (top), OELINUX, and\r\nCFBYPASS (bottom)\r\nBashlite can launch several types of DDoS attacks using these commands:\r\nHOLD: Connects to an IP address and port, and sustained for a specified time.\r\nJUNK: Same as HOLD but also sends a randomly generated string to the IP address.\r\nUDP: Flood target with user datagram protocol (UDP) packets.\r\nACK: Send acknowledgment (ACK) signals to disrupt network activity.\r\nVSE: An amplification attack used to consume the resources of a target (e.g., server).\r\nTCP: Send numerous transmission control protocol-based (TCP) requests.\r\nOVH: DDoS attack designed to bypass a DDoS mitigation service\r\nSTD: Similar to UDP (flooding the target with UDP packets)\r\nGRENADE: Launch all the DDoS commands.\r\nBashlite has other notable commands. For example, BRICKER downloads and executes a bricker malware from a\r\nspecified URL to presumably eliminate competing bots. MINER downloads and executes a cryptocurrency-mining\r\nmalware on the infected machine, while PKILL terminates a specified process.\r\nintel\r\nFigure 6. Snapshot of code showing different DDoS-related commands\r\nIoT security shouldn’t be an afterthought\r\nWhile connected devices — from those used in smart homesnews article to complex IoT environmentsnews\r\narticle — provide convenience and efficiency, they can also come with risks if improperly configured or left\r\nunsecured. Bashlite is just one of the many threats that could threaten the privacy, security, and even safety of\r\nusers. We’ve seen some of these threats, for example, take advantage of exposed UPnP-enabled devices that don’t\r\nhave patches for known vulnerabilities. Equipment designers and manufacturers must integrate security into the\r\ndevelopment life cycle of their products. Organizations that adopt BYOD policiesnews- cybercrime-and-digital-threats for IoT device use in the workplace must balancenews article the advantages of mobility and the need for\r\nsecurity. Users should also adopt best practicesnews article.\r\nTrend Micro Home Network Security™products protects users from this threat via this intrusion prevention rule:\r\n1135463 – WEB Belkin Wemo UPnP Remote Code Execution\r\nThe Trend Micro™ Deep Discovery Inspector™products solution protects customers from related attacks via this\r\nDDI rule:\r\n2860 – Belkin Wemo UPnP Remote Code Execution\r\nIndicators of compromise (IoCs)\r\nRelated hashes (SHA-256):\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/\r\nPage 3 of 4\n\n81cbb253ef6ad4803e3918883eed3ec6306ef12e7933c5723bd720d55d13a46a —\r\nBackdoor.Linux.BASHLITE.SMJC4\r\n01570ee09d63579afc77a44295aeb06c1cc826ae6f0aa9423915ea4ecfd9899f —\r\nTrojan.SH.BASHDLOD.AMF\r\nDetected as Backdoor.Linux.BASHLITE.AMF (SHA-256):\r\n2d896a7e4db137024b947ca5be79fd0497f50f3a0ad2edf07455d3b35a40735b\r\nfe887192440d1a7c6199593dfab52362a22e187d80879c89eba72f1659e82d0b\r\n506e4824beb216a33ed7cb1fe98637091f603b93df789f3819c624f5e3e19b80\r\n9ce735506f6cb663d4a4617da99b75262dc937c62c2afda0509adc49745c1554\r\nd9faa3e129a72a9908eafc25d4ecc54aca77da2714471db45d191520bc6075f4\r\n323b4260e8fbfb46461ff017882832ed195821e855a473a0b0e15ace5ad8b2ef\r\n8da4b0d63aa6824e454ec3786093d2fb18d1ba89ddc5510221b076058db0bb19\r\nbcb19d156b089cabc2b89f31e36b577be700ea489dd8c1ef69cbcb95585ef05c\r\n21c740671cad8dc67b5504e0d5e6cf0a92864ea87c075f1ebdff419e95263077\r\nba47ec0a9f2dedb169590f607f96cc889f4b9e465ce9334502a09997e74c4334\r\n31607153ce9edec754027b3ea2ddc3b6c3f13532c2e78b54a89dbeb09b4efd43\r\nd2aeb3beadbdfe9d44521551ce44661595a51ce9bb9e1c317b74e173ab65c6fa\r\nRelated malicious URLs:\r\nhxxp://185[.]244[.]25[.]213/ECHOBOT[.]mips\r\nhxxp://185[.]244[.]25[.]213/UqHDZbqr9S[.]sh\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/"
	],
	"report_names": [
		"bashlite-affects-devices-running-on-busybox"
	],
	"threat_actors": [],
	"ts_created_at": 1775791195,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e82b14ee714d919681d56c3c13771dc21e94ecf3.pdf",
		"text": "https://archive.orkl.eu/e82b14ee714d919681d56c3c13771dc21e94ecf3.txt",
		"img": "https://archive.orkl.eu/e82b14ee714d919681d56c3c13771dc21e94ecf3.jpg"
	}
}