A botnet discovered at the start of the year and named Hide 'N Seek (HNS) has expanded from infecting Internet of Things (IoT) devices and is now also targeting cross-platform database solutions as well.

This is an important development in the botnet's evolution, which also passed a significant milestone in May when it became the first IoT malware that was capable of surviving device reboots.

HNS now targets more devices

Now, the Netlab research team at Qihoo 360 says that HNS has expanded beyond the scope of routers and DVRs and is now also targeting database applications running on server operating systems.

According to Netlab researchers, the botnet is now capable of infecting the following types of devices, with the following types of exploits:

As a side-effect for adding more payloads, HNS is also noisier now, as it needs to scan more ports to find new hosts to infect. Experts say they've seen HNS bots initiating scans on ports:

23      Telnet  
80      HTTP Web Service  
2480  OrientDB  
5984  CouchDB  
8080  HTTP Web Service  
... but also random ports

But HNS was easy to spot anyway because it's only the second major IoT botnet besides Hajime known to use a P2P structure, so security researchers would have an easy time identifying it regardless.

HNS testing coinminer payload

HNS is not the first botnet to target OrientDB servers, which have become quite the favorite among various botnets. For example, DDG, a botnet discovered last year, which is still alive today, has targeted OrientDB servers in the past with cryptocurrency-mining malware.

In fact, it appears that HNS operators might have learned something from the DDG crew because Netlab says HNS has also started dropping a coinminer payload on some of the infected systems.

Fortunately, for the time being, it appears that these deployments have all failed, as the additional coinminer payload failed to start and generate funds for the HNS operators.

But if they manage to get it up and running, they'll be in for some profits, as the DDG gang collected well over $1 million from their coinmining last year.

The Netlab team has published an in-depth analysis of the changes in HNS compared to its previous variant spotted back in January.

Related Articles:

Around 5% of All Monero Currently in Circulation Has Been Mined Using Malware

Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine

Rakhni Ransomware Adds Coinminer Component

Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses