Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

<<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.

- backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device. CVE-2015–7755 - backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded passwordpassword with any username to access a device via Telnet and SSH. CVE-2016–10401 - backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the passwordto gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

"For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall," the expert told Bleeping Computer. "Such multiple layers of attack/evasion are usually a Windows thing."

"Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices," Anubhav said. "If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit," Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

"The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t," he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

"Such setups are usually found in corporations," Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn't do anything, for the moment

The good news is that DoubleDoor doesn't do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

"Probably it's a test run or they are just silently recruiting devices for something bigger down the road," Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat's out of the bag, as they say.

You can find additional DoubleDoor technical details in NewSky's report here.