A previously unknown cybercriminal group, dubbed ‘Bigpanzi,’ has been conducting a highly profitable operation by infecting Android TV and eCos set-top boxes on a global scale since at least 2015. According to a report, this cyber threat syndicate manages an expansive botnet with around 170,000 active bots daily. Notably, the researchers have identified 1.3 million unique IP addresses linked to the botnet, with a significant concentration in Brazil since August.
Bigpanzi employs various tactics for infecting devices, utilizing firmware updates or manipulating users into installing compromised apps. Dr. Web’s September 2023 report highlighted the intricacies of these infection methods. The monetization strategy of the cybercriminals involves transforming the compromised devices into nodes for illegal media streaming platforms, traffic proxying networks, distributed denial-of-service (DDoS) swarms, and over-the-top (OTT) content provision.
Two key malware tools, ‘pandoraspear’ and ‘pcdn,’ play pivotal roles in Bigpanzi’s operations. Pandoraspear serves as a backdoor trojan, taking control of DNS settings, establishing command and control (C2) communication, and executing commands received from the C2 server. This malware employs sophisticated evasion techniques, including modified UPX shell, dynamic linking, OLLVM compilation, and anti-debugging mechanisms.
Pcdn, on the other hand, is responsible for creating a peer-to-peer (P2P) Content Distribution Network (CDN) on infected devices and possesses DDoS capabilities to weaponize the compromised devices. Despite the researchers observing 170,000 daily bots during peak times and identifying over 1.3 million distinct IPs since August, the actual size of the Bigpanzi botnet is believed to be larger due to the intermittent activity of compromised TV boxes and limitations in cybersecurity analysts’ visibility.
The report underscores the covert nature of Bigpanzi’s operations over the past eight years, silently accumulating wealth from the shadows. The researchers note that their findings represent only the tip of the iceberg in understanding the full extent of Bigpanzi’s network. While artifacts in the analyzed pcdn sample have led researchers to a suspicious YouTube channel controlled by a company, the report refrains from disclosing any attribution details, presumably reserving such information for relevant law enforcement authorities.
To thwart the nefarious activities of the Bigpanzi botnet, organizations and users can take proactive measures to enhance their cybersecurity. Implementing robust endpoint protection and regularly updating firmware on Android TV boxes are crucial steps in fortifying the devices against potential infections. Additionally, cybersecurity experts must collaborate to identify and neutralize the botnet’s infrastructure, leveraging threat intelligence to stay ahead of evolving tactics.