TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

A previously unreported Internet-of-Things (IoT) botnet framework, dubbed TuxBot v3 Evolution, has been discovered by cybersecurity researchers. The framework shows signs of being developed with assistance from a large language model (LLM), although the results are not entirely successful.

The LLM was used to generate botnet code, but it included a safety disclaimer that the developer failed to remove before shipping. This suggests that while the AI did aid in constructing the botnet, several functions in the analyzed samples failed to work correctly. A manual code review would have likely resolved these errors, and it’s possible that more polished iterations of the malware exist out there in the wild.

The TuxBot v3 Evolution framework consists of multiple components, including a C-based bot agent that cross-compiles for various architectures (ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V). The Go-based command-and-control (C2) server features a DDoS-for-hire panel, while the custom exploit virtual machine is designed to target vulnerabilities in IoT devices. Additionally, there’s an automated build system and Docker-based test infrastructure.

The bot agent is responsible for brute-force Telnet access on targeted devices using 1,496 credential pairs. It also incorporates exploit code targeting over 30 IoT device families using known vulnerabilities. The C2 server communicates with the bot agent over an encrypted TCP channel, employing a SHA512 domain generation algorithm (DGA) and peer-to-peer gossip protocol with Ed25519-signed commands.

The framework’s modular design allows for flexibility in its operations. It can resort to various fallback mechanisms, including Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling. The lineage of TuxBot v3 Evolution has been traced back to three different botnets: Mirai, AISURU, and Wuhan. Some functions have also been ported from the open-source MHDDoS Python DDoS toolkit.

At least one sample of the malware was uploaded to VirusTotal on January 20, indicating it’s been around for over six months. Evidence suggests that work on the botnet began a year prior, when the author cloned the MHDDoS repository from GitHub. The framework’s description claims it features a professional-grade C2 platform with multi-user admin panel and automated deployment.

The Go-based C2 server component uses three different TCP ports for incoming connections: 1999 (or 31337), 2222, and 9999. These ports handle encrypted command dispatch to connected bots, interactive shell access over SSH, and programmatic interface via JSON, respectively. Once launched, the botnet follows a pre-defined initialization sequence.

This sequence includes loading the C2 address from a multi-tiered architecture with one primary channel and five alternate mechanisms. It also sets up anti-debugging and anti-VM protections to evade analysis tools. The process name is hidden, persistence is installed, and various sub-modules are launched to mount DDoS attacks and establish communication channels over IRC, HTTP, DNS, and P2P.

The dedicated HTTP scanner can manage up to 128 concurrent connections at any given point in time, operating with the goal of discovering vulnerable web interfaces. Persistence is accomplished through systemd service, cron entries, and a watchdog keepalive process to ensure TuxBot remains operational on compromised machines.

Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments. These comments reveal the internal reasoning as it worked through porting tasks, complete with self-interruptions, decisions, and references to ‘the user’ (meaning the developer who prompted the LLM). This suggests that the AI was used as a judge of sorts, providing guidance on how to develop the botnet.

The core working functions in TuxBot v3 Evolution, coupled with its reliance on AI tools for businesses, signal accelerated integration of features. The framework’s modular design enables what appears to be single developer to come up with a multi-pronged toolset featuring multiple C2 channels and custom exploit VM.

Shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem, known for running multiple IoT botnet variants in parallel. This variant aims to go beyond Mirai forks by incorporating encrypted C2, DGA, and a modular exploit system.

The disclosure follows recent emergence of two other botnets: RustDuck and AryStinger. These have targeted routers, IP cameras, Android boxes, and poorly secured servers for co-opting them into networks designed to render online services offline and conduct reconnaissance.

Related news