Kevin Stear

Rise of the IoT Reaper

Blog Post created by Kevin Stear Employee on Oct 26, 2017

During the month of October, and there’s been a disturbance in the force… the growing presence of a new Internet of Things (IoT) botnet, dubbed ‘Reaper’.  Initial research published by Checkpoint and Qihoo indicates that the IoT Reaper botnet may have already infected more than 2 Million devices, making it one of the most dangerous botnets in the world.


From a NetWitness Packets detection standpoint, FirstWatch has observed Reaper activity since the middle of October.  These attacks are commonly carried over TCP from ephemeral ports to a common set of destination ports as depicted below.



The following Reaper exploit attempts were observed attacking RSA FirstWatch sinkhole infrastructure on October 20th from a likely compromised (i.e., Reaper infected bot) Iranian based source IP address, 84.241.31[.]227.


D-Link Devices - 'command.php' Unauthenticated Remote Command Execution (Metasploit):


Wireless IP Camera (P2P) WIFICAM GoAhead Backdoor / Remote Command Execution:


Checking to see if the previous exploit worked (thanks @VK_Intel):


Unknown Credential Stealing Exploit:


D-Link Devices - 'hedwig.cgi' Buffer Overflow in Cookie Header (Metasploit):


Linksys WRT160N v2 - 'apply.cgi' Remote Command Injection (Metasploit):


Netgear DGN Devices Unauthenticated Command Execution:


Linus System Files Information Disclosure:


Notable meta tagging for this activity within Netwitness Packets can be seen below.


RSA FirstWatch has further quantified IoT Reaper attacks in the wild from several thousand source IP addresses, which have been added to the FirstWatch C2 IP feed available in RSA Live and tagged with the following meta data:

  • threat.category = ‘botnet’
  • threat.desc = ‘reaper’


Thanks to Kent Backman (RSA FirstWatch), Andre DiMino (DeepEnd Research), Chris Doman (ThreatCrowd), and Jaime Blasco (AlienVault) for contributing to this research.