It spreads through launching a brute force attacks against the devices that are connected to the internet and have ports (23 and 2323) exposed to the network. After gaining access it downloads one of the seven binaries to install HEH malware.
HEH botnet features
However, among the characteristics that it does have, we can name the function that traps infected devices and forces them to carry out SSH brute force attacks over the Internet to help amplify the botnet. Also, a feature that allows attackers to execute Shell commands on the infected device. It also has a variation of this second function that executes a list of predefined Shell operations that erase all partitions on the device.
The HEH botnet has been discovered by Netlab security researchers. This is a relatively new threat, so you don’t yet have all the information you need to know if wiping devices is a function you always do. However, they indicate that if this function is used frequently it could lead to the blocking of hundreds or thousands of devices.
It has infected all kinds of servers, routers, and IoT devices. Basically, it can infect any computer that has SSH ports with weak security.
With the deleted partition firmware or operating system, the device is also deleted. This is what would cause computers to hang at least temporarily until the firmware or operating system is reinstalled. However, at one extreme it could mean that that equipment stops working forever since it might not be easy to reinstall the firmware.
From Netlab they have indicated that they detected HEH samples that can run on the following CPU architectures: x86 (32/64), ARM (32/64), MIPS (MIPS32 / MIPS-III), and PPC.