A new IoT botnet has been gathering strength quietly over the last couple of weeks, and researchers say that more than one million devices have been compromised, including IP cameras and home routers. The malware being used to build the botnet appears to have some similarities to the Mirai malware, but rather than simply using default credentials to access devices, the IoT Reaper malware is using software exploits.

Researchers began tracking IoT Reaper about a month ago, and since the first week of October, the number of compromised devices attacking other IoT devices has been increasing rapidly. There are as many as 10,000 active IPs communicating with the C2 servers every day, researchers said, and many more devices in the botnet’s crosshairs.

“IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day,” researchers at Qihoo 360 in China wrote in an analysis of the attack.

“While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.”

When Mirai emerged last year, it quickly became a huge story, thanks to a couple of interesting characteristics of the malware. Mirai was designed specifically to take advantage of devices such as surveillance cameras, routers, and others that had easily guessable or publicly known usernames and passwords. It didn’t use any exploits for vulnerabilities, but once Mirai had built up a critical mass of infected devices, the attackers controlling it used the botnet to launch DDoS attacks against a number of significant targets. One attack was aimed at Dyn, a major DNS provider, and the assault effectively crippled significant portions of the Internet for several hours.

Mirai was the first large-scale botnet that primarily targeted IoT devices, but researchers warned that it was almost certainly just the beginning of a new wave of such attacks. IoT devices are the weakest link in any network, whether it be at home or in an enterprise. Many of these devices are insecure right out of the box, running firmware with significant vulnerabilities and coming with default credentials that are easy to find online. Manufacturers have shown that they are not too interested in providing timely patches for public flaws. Even when they do ship updates, users aren’t too keen to try patching their refrigerators or home routers.

Attackers are only too happy to take advantage of these weaknesses, as Mirai showed. Now, the IoT Reaper malware is picking up where Mirai left off and taking things to the next level, using exploits for vulnerabilities. With the massive popularity of smart devices, the potential for damage with this kind of campaign is very high.

“While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes,” researchers at Check Point said in their analysis of IoT Reaper.

The IoT Reaper malware contains exploits for at least nine vulnerabilities, including bugs in routers from D-Link, Netgear, and Linksys, and flaws in a number of different brands of surveillance cameras. The researchers at Qihoo 360 said that while IoT Reaper hasn’t been used for any DDoS attacks yet, the malware has that functionality in it. And with more than two million devices in one of the C2 servers’ infection queues, this campaign may just be getting started.