Pink Botnet, From 1.6 Million Bots to 100,000 Infected Devices

Trickbot Streals Passwords From Browsers

The Pink Botnet is a dangerous project, which was first identified in 2020. However, it has rapidly grown in size over the past couple of months. In fact, for a short amount of time the Pink Botnet was one of the largest botnets of its kind. Thankfully, its size was greatly reduced thanks to the joint effort of cybersecurity researchers and law enforcement agencies. Unfortunately, the project is not yet fully inactive, and its operators might soon try to restore it back to its former 'glory.'

At the peak of its activity, the Pink Botnet had enslaved over 1.6 million devices, the majority of which were situated in China. The criminals were targeting mostly fiber routers, which were vulnerable to specific types of attacks and exploits. The most interesting part about the operators of the Pink Botnet is that they were quick to address any patches that the manufacturers of the devices released. This means that they were updating their implants on-the-fly, so that they could get around the latest security measures that the firmware put in place.

How was the Pink Botnet Used?

This particular project focused on ad-fraud and distributed-denial-of-service (DDoS) attacks. The former was executed by manipulating the traffic of users and injecting ads in websites they visit. The DDoS capabilities, on the other hand, might have also been rented out to the highest bidder. All of the enslaved devices were controlled via remote commands sent out by the control server of the atttackers.

In addition to the DDoS and ad-fraud campaigns, the operators of the Pink Botnet could also do more with the infected devices. They had the ability to download and execute files, fetch system information, update the payload, and execute remote system commands.

The size of the Pink Botnet has been greatly reduced, but there are still over 100,000 infected and active devices. The best way to protect your Internet-connected devices from such attacks is to use up-to-date firewall and antivirus software, apply the latest firmware updates, and use strong login credentials.

November 1, 2021