Botnet Encyclopedia

This campaign is identified by the Bash script it drops on infected servers, which is named 8UsA.sh. Its earliest incidents were observed in 2018, however, the most recent attacks wave started in June 2020. Breached servers connect to the command-and-control server and download a DDoS malware sample, compiled for the specific architecture. C2 communication is done over port 5555, and DDoS is done over Telnet (TCP port 23). It appears that the main C2 is hosted by Frantech Solutions, which no longer provides service.

The 911 (Nine-One-One) campaign is one deploying a known Mirai variant named Sora. Active since the beginning of April 2020, the campaign has been targeting IoT devices for at least four months. The Sora variant, according to recent reports, exploits remote code execution and authentication bypass vulnerabilities in Huawei and Dasan GPON routers, respectively. Another characteristic of this variant is its XOR encryption key, the value 0xDEDEFBAF. Each string in the malware process is decrypted in memory using this key, and is immediately encrypted again to avoid memory-based detection. The name of this botnet campaign is derived from the deployed malware binaries – “911”, with an extension that corresponds to the victim’s architecture.

For additional reading materials, visit  CERT.PL (Polish) | TrendMicro

B3astMode is a Mirai-based DDoS botnet targeting SSH servers, Huawei HG532 routers and IoT devices. In this campaign, the attacker attempts to hack into SSH servers using brute-force. In case of success, the attacker connects to the C&C server and downloads a malicious payload named B3astMode, according to the victim’s architecture.

In order to expand the attack’s botnet network, the malware attempts to exploit 2 Remote Code Execution (RCE) vulnerabilities:

• CVE-2017-17215 in the Huawei router over TCP port 37215.
• A vulnerability in DVRs manufactured by MVPower over TCP port 60001.

By breaching these devices, the attacker amplifies the volume of the performed TCP and UDP flood attacks. At the time of writing, there were nearly 200k devices that are potential victims of this attack.

For additional reading materials, visit the links below:

CERT.PL (Polish) | TrendMicro

BashLegend is an attack campaign operated by a hacker named UzzySenpai. Its first attack incidents were captured by Guardicore sensors in May 2020, however, its current wave started late August.

In this campaign, the hacker brute-forces public SSH servers. After a successful connection, the attacker downloads an executable file named .0803 from its command-and-control server.This file is an obfuscated version of an open-source tool called RootHelper, which “aids in the process of privilege escalation on a compromised Linux system”, according to its description on Github.

Afterwards, an XMRig Monero miner is downloaded alongside a JSON configuration. Since its emergence, we’ve observed only a single wallet being used – 89QZqpUHJBUJTYWKXxcHMrWrsJNVhKLUh2EmYd9KbBkmNhY6MNcJc8BJJ89QE621aLWuffSWHe2y7cA9up7t2kohJH42rWY. 

BashLegend’s cryptominer names its workers using the number of CPU cores on the compromised machine – e.g. 1-Squad, 4-Squad, etc. – which gives us an insight into the nature of the victims. Some active workers are named 60-Squad, indicating that at least one victim with 60 CPU cores was hit by the attack.The strings observed in the attack files, combined with the first attack incidents which originated in Romania – strongly suggest that BashLegend operator is of Romanian origin.

Bins is a family of DDoS attack campaigns. The malware they spread is a variant of Mirai, with various functions such as UDP and TCP floods, IP spoofing, etc. Some malware samples disguise themselves as the SSH daemon process or the light-weight SSH server ‘DropBear’. The different names of the malware file tell exactly which architectures are targeted: mips, mipsel, sh4, x86, armv6l, i686, powerpc, i586, m68k, sparc, armv4l, and armv5l.

For additional reading materials, visit the link below: 

Stratosphere IPS

A ransomware attack begins with an initial breach, often enabled by social engineering, a phishing email, malicious email attachment or vulnerabilities in the network perimeter. The malware will start to move through your network and attempt to maximize damage from its landing point. Typically, bad actors seek to seize control of a domain controller, compromise credentials and locate and encrypt any data backups in place to prevent operators from restoring infected and frozen services.

Seen in GGSN since the end of 2019, FaNeL cryptomining campaign seems to be operated by an individual hacker based in Romania. FaNeL compromises machines by breaching their SSH service, downloads various scripts to analyze the available resources (CPU, memory and disk space) and runs an XMRig cryptominer. FaNeL’s attack tools are made available to other attack groups and hacking amateurs – ASN prefixes, passwords lists and speed-testing scripts to name a few. Some of the attacks captured by Guardicore are tagged as ‘Human’, implying that the hacker is still testing and evaluating the attack flow and its efficiency.

FritzFrog is a unique, sophisticated P2P botnet, active since January 2020. Breaching SSH servers using brute force, the attackers deploy a complex worm malware written in Golang. A backdoor in the form of a public SSH key is added to the victim’s authorized_keys file. The malware immediately starts listening on port 1234, where it will receive commands from its network-peers. The FritzFrog malware works hard to eliminate competitors by killing CPU-demanding processes on the Linux system where it runs.

For additional reading, please visit the blog post here.

GhOul is a DDoS campaign seen in Guardicore’s sensors since June. However, it was observed even earlier, around February. GhOul spreads over SSH in order to infect Linux-based machines with DDoS malware. The malware is Mirai-based, compiled for various architectures and is similar to Helios and Hakai variants (see links below). Its list of C2 commands includes: “TCP, SYN, ACK, XMAS, STOMP, UDPREG, UDPHEX, UDPRAW, HTTPSTOPM, HTTP, VSE, STD, OVH, STOP, KILL”, all seem to be DDoS over various protocols using different payload formats. Most attacks captured by Guardicore’s sensors have originated from machines belonging to OVH, France. The command-and-control servers – 8 seen during the campaign’s active period – are machines based in Germany, France and Iran. The C2 communication is performed over port 3333, as is necessary for receiving the list of DDoS targets.

For additional reading materials, visit the links below:

Helios (Security Art Work) | Hakai variant (Stratosphere IPS)

The k8h3d attack campaign combines a Monero cryptominer and a worm module which exploits EternalBlue to gain lateral movement. Initially, the attacker breaches victim machines via MS-SQL. Then, the attacker creates a new user named “k8h3d” with password “k8d3j9SjfS7”, and changes the MS-SQL system admin password to a random string. After the backdoor user is created, it is used by the attacker to connect to the machine over SMB and drop multiple malicious scripts and binary files. These include a dropper, Trojan horse, Monero cryptominer and an EternalBlue worm, among others. Malicious payloads remain persistent by installing scheduled tasks and services (names include “Autocheck”, “Autoscan”, “Bluetooths”, “DnsScan”, “WebServers” and “Ddriver”). In addition, system information is sent to the attacker’s command-and-control servers, from which additional payloads can be downloaded and executed.

For additional reading materials, visit the link below:

BitDefender

An examination of a recently captured ARM binary revealed the adaptation of CVE-2021-44228 to infect and assist in the proliferation of malware used by the Mirai botnet. As mentioned in previous Akamai blogs, CVE-2021-44228 is an unauthenticated remote code execution (RCE) vulnerability in Log4j.

This vulnerability impacts multiple versions of Log4j and the applications that depend on it. These include Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and many others. As mentioned before, patching against this vulnerability is strongly encouraged, and Akamai has deployed rulesets to customers that will help mitigate attacks.

For additional reading, please visit the blog post here.

This is a pretty generic Monero-mining botnet campaign which infects victim machines over SSH. Once a server is compromised, a simple Bash script will download the cryptominer payload – a gzip compressed file. Unarchiving it results in a new folder, .ssh, with two files – the miner executable (named sshd and a JSON configuration. During its six-months lifetime (to date), this campaign has made its operators around $1200, as observed in the HashVault pool. 

The operators seem to have used a single wallet to aggregate their Monero coins: 454Bkqa8C2GXCA3mFaPu1P6z3zwTqZjaRc1bB1gWVjkmBLJDcVbbE3VH6e3eKY78ihZYhFH63poLQ5Uvs65ukhV291DqCmk. Attacks on Guardicore Global Sensors Network have oritinated from 6 different IPs, based both in the US and in Germany. The number of attack incidents went from ~20 per month to over 100 incidents in April.

Nansh0u is a China-based campaign which aimed to infect Windows MS-SQL and phpMyAdmin servers worldwide. Breached machines included over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.

This campaign, unlike many others, is not a cryptomining botnet. Here, the attackers compromise victim machines using MySQL brute force, then attempt to encrypt the database. A ransom note is left inside a table called ‘WARNING’, and says:

‘To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1NdeFcTXpXvUxvWqPP988A4Txcv3LzXmif and contact us by Email (recvr19@protonmail.com) with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we don’t receive your payment in the next 10 Days, we will make your database public or use them otherwise.’

At the time of writing, more than 30 Bitcoin wallet addresses have been used in the ransom notes, and their balance is 0.689 BTC, which are approximately $6250.

Smominru botnet and its different variants – Hexmen and Mykings – have been active since 2017. The attack compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet and more. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network.

Uwush (or “Stokers”) is a Mirai-like botnet. The initial breach is done over SSH, then a bash script named “UwUsh” is downloaded and executed. The script downloads UPX-packed malware named “Stokers” built for different architectures and executes them all – hoping that one will successfully catch. The malware has various capabilities, the most prominent of which is – how not – DDoS over UDP, HTTP and TCP’s different packet types. The bot supports the two commands “KILLDROPPERS” and “KILLBINS” to eliminate competitors (or perhaps older versions of the malware). The malware names seen in Stokers’ strings are Ayedz, DEMONS, Execution, Fierce, Josho, Okami, Owari, Tsunami, apep, chiemi, fortnite, gemini, hoho, kowa, kratos, miori, mips.yakuza, mirai, miraint, shiro, sora, yakuza, and z3hir. Each one in the list has builds for various architectures, as typical for Mirai-like botnets. At the time of writing, all incidents downloaded the Uwush script from a machine with the prefix 89.42.133.0/24.

Vollgar is a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. The campaign, dating back to May 2018, uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional RATs (Remote Access Tools) and cryptominers.

On August 17, 2017, multiple content delivery networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX. The botnet is named for an anagram of one of the delimiter strings in its command and control protocol. The WireX botnet comprises primarily Android devices running malicious applications and is designed to create distributed denial-of-service (DDoS) traffic. The botnet is sometimes associated with ransom notes to targets.

For additional reading, please visit the blog post here.

Yart7 is a DDoS campaign targeting SSH servers. The botnet spreads by brute-forcing SSH servers. After a successful login, the attacker connects to the C&C server and downloads a malicious payload named 7rtya, one which suits the victim machines’s architecture.Once the malware is executed, the compromised machine starts sending DDoS packets to tens of thousands of IP addresses over the Telnet protocol (TCP port 23).Since the beginning of this campaign in early September 2020, only three source IPs have been seen, two of which are based in Austria.We named the campaign Yart7, which is an anagram of the malware filename.

This long-known attack flow dates back to as early as 2012. At its core, this is a dropper (downloader) of additional payloads, which receives its URL as a parameter. The initial breach is done over MySQL using brute-force. Once inside the database, the attacker creates a new table named yongger2 and writes the dropper’s binary payload to it. The payload is then saved to a file ‘cna12.dll’ and executed. One of the DLL’s exported functions -‘xpdl3’ – is used to drop additional payloads and create a backdoor user named piress. This technique has already been widely described. Recent publications imply that the dropper has been used to deliver the GandCrab ransomware.

For additional reading materials, visit the links below:

Malware Musings | Sophos