Tag Archives: botnet

Breaking News, Hacking, Malware, Security

New botnet Horabot targets Latin America

A new botnet malware dubbed Horabot is targeting Spanish-speaking users in Latin America since at least November 2020.

Cisco Talos researchers were observed deploying a previously unidentified botnet, dubbed Horabot, that is targeting Spanish-speaking users in the Americas. The botnet is used to deliver a banking trojan and spam tool to the infected systems, Horabot has been active since at least November 2020.

The bot allows operators to control the victim’s Outlook mailbox, steal contacts’ email addresses, and send phishing emails with malicious HTML attachments. The banking trojan deployed as part of the campaign can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. The malware also allows bypassing 2FA by stealing one-time security codes and can steal soft tokens from the victim’s online banking applications.

The spam tool allows to compromise Gmail, Outlook, and Yahoo! webmail accounts to send out spam emails.

Most of the victims are in Mexico, limited infections were reported in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. Based on Talos analysis, the threat actors behind the campaign may be located in Brazil.

The attack chain commences with a tax-themed phishing email written in Spanish, posing as a tax receipt notification. The message is written to trick users into opening the attached malicious HTML file.

“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance.” reads the analysis published by Talos. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”

Upon opening the contents of the file, a PowerShell downloader script is executed. The script retrieves a ZIP file containing the main payloads from a remote server, then reboots the victim’s machine.

The banking Trojan and the spam tool are executed after restarting the system.

The banking trojan employed in this campaign is a 32-bit Windows DLL written in the Delphi programming language, the researchers noticed overlaps with other Brazilian Trojans like Mekotio and Casbaneiro.

“In analyzing the phishing emails used in the campaign, Talos identified that users in organizations across several business verticals — including accounting, construction and engineering, wholesale distributing and investment firms — have been affected. However, the attacker uses Horabot and the spam tool in this campaign to further propagate the attack by sending additional phishing emails to the victim’s contacts, meaning Spanish-speaking users from organizations in additional verticals are likely also affected.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Breaking News, Cyber Crime, Malware

Dark Frost Botnet targets the gaming sector with powerful DDoS

Researchers spotted a new botnet dubbed Dark Frost that is used to launch distributed denial-of-service (DDoS) attacks against the gaming industry.

Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks.

The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot.

The Dark Frost botnet was used to target gaming companies, game server hosting providers, online streamers, and even other members of the gaming community who the threat actor interacted with directly.

The researchers first gathered a Dark Frost binary sample on February 28, 2023, that targeted one of its HTTP honeypots. The threat actors were attempting to exploit a remote code execution (RCE) in misconfigured Hadoop YARN servers. The experts highlight that the vulnerability exploited in the attacks has been in existence since 2014.

According to a screenshot taken by the malware author, the botnet was composed of at least 414 machines as of February 2023. Most of the infected machines are based on ARMv4 architectures, specifically MIPSEL and x86.

The botnet operators compiled the bot code specifically for ARMv4 and ARMv7 because ARMv4 is compatible with ARMv5 and ARMv6, this means that the malware can also target modern ARMv7 architecture. 

The analysis of the bot revealed that the malware supports eight total attacks, including UDP and TCP, and more curious ones, such as zgoflood.

Akamai researchers estimated that the botnet can launch DDoS attacks of approximately 629.28 Gbps through a UDP flood attack.

“To continue the benchmark correctly, we had to start launching these attacks at the loopback to avoid fragmentation and listen on the loopback interface to re-measure (Table 2).” reads the analysis published by Akamai.

Packet sizePackets capturedTotal sizeOutput
1,0241,659,8401.4G1.12 Gbps
2,0481,445,1581.9G1.52 Gbps
4,096828,6811.9G1.52 Gbps
8,192432,8841.8G1.44 Gbps

As you can see, the optimal size for maximum output becomes 2,048. After this point, the number of packets getting sent drops significantly. This is likely due to the fact that the UDP packets are getting padded with “U” characters to make it the desired length, and this operation likely slows things down at larger sizes. With 1.52 Gbps as our new single node benchmark, we can multiply this by the number of nodes in the botnet as of February 2023 (414) to come out with 629.28 Gbps.”

Threat actors behind this botnet are active since at least May 2022, they published live recordings of their attacks to demonstrate the capabilities of the botnet.

The attackers set up a website to track requests and a discord channel to manage their DDoS-for-hire service.

“The reach that these threat actors can have is staggering despite the lack of novelty in their techniques. Although not the most advanced or mind-bending adversary, the Dark Frost botnet has still managed to accumulate hundreds of compromised devices to do its bidding.” concludes the report.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

Breaking News, Cyber Crime, Digital ID, Malware

The latest variant of the RapperBot botnet adds cryptojacking capabilities

FortiGuard Labs Researchers spotted new samples of the RapperBot botnet that support cryptojacking capabilities.

FortiGuard Labs researchers have discovered new samples of the RapperBot bot that added cryptojacking capabilities.

Researchers from FortiGuard Labs first discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

In November, Fortinet researchers discovered new samples of RapperBot used to build a botnet to launch Distributed DDoS attacks against game servers.

Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants.

Earlier samples of the malware had the brute-forcing credential list hardcoded into the binary, but from July the samples started retrieving the list from the C2 server.

Since mid-July, RapperBot started using self-propagation to maintaining remote access into the brute-forced SSH servers. The bot runs a shell command to replace remote victims’ ~/.ssh/authorized_keys with one containing the threat actors’ SSH public key with the comment “helloworld,”

Once stored public keys stored in ~/.ssh/authorized_keys, anyone with the corresponding private key can authenticate the SSH server without supplying a password.

The most significant difference between July and November campaisnswas the complete replacement of the code to carry out SSH brute force attacks with the more usual Telnet equivalent.

In the latest campaign, the authors of the the bot added support for cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero miner alongside the usual RapperBot binary, but starting from January 2023, they included the mining capabilities in the bot.

The latest campaign uses the same SSH public key observed during the first campaign observed in June 2022.

The researchers pointed out that there are some key differences between the bot versions employed in the campaign, including several significant updates to the malware functionality, such as the C2 communication protocol.

One cluster of ARM samples, tracked as Cluster A, supported a minimal set of functionalities. They only included three DoS attack types and no SSH brute forcing or self-propagation abilities. These samples included new code for information gathering and data exfiltration.

Another cluster of ARM samples (Cluster B), includes Cluster A’s features, and includes the SSH brute-forcer employed in the June 2022 campaign.

Once executed, RapperBot connects to a hardcoded C2 server and sends a registration request the contains system information.

Then it sends a keep-alive request to the C2 awaiting commands. The bot sends a request at random intervals of 60 to 600 seconds.

“To evade detection, the binary network protocol used to send these requests has been completely revised. Like its string encoding, it uses a two-layer approach to encode the information sent to the C2 server.” reads the report published by Fortinet. “The header data must first be decoded to reveal the location of the encoded information and the key needed to decode it.”

The miner code uses a hardcoded configuration built into the binary itself. The malware decodes the mining pools and Monero wallet addresses and updates the configuration before starting the embedded miner.

The miner uses multiple mining pools for both redundancy and additional privacy. Two mining pools are mining proxies hosted on the RapperBot C2 IP itself.

“This allows the threat actor to omit both the wallet addresses and actual mining pools from the miner configuration. Additionally, they can change this information on the proxy server without rebuilding and deploying new bots.” continues the report.

The bot kills off other miners by enumerating other running processes and attempts to check the presence of the associated binaries on disk searching for a set of keywords (i.e. xmrig, .rsync, miner, dota., moner). Then the malware terminates these processe and deletes the corresponding files.

“RapperBot continues to be a dangerous threat due to its continual updates to evade detection, as highlighted above.” concludes the report that includes indicators of compromise (IoCs). “As its primary infection vector of compromising SSH services using weak or default passwords remains the same, mitigating it by enabling public key authentication or setting strong passwords for all devices connected to the internet is still effective in mitigating this threat.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Breaking News, Cyber Crime, Hacking, Malware

Fortinet warns of a spike of the activity linked to AndoryuBot DDoS botnet

A DDoS botnet dubbed AndoryuBot has been observed exploiting an RCE, tracked as CVE-2023-25717, in Ruckus access points.

FortiGuard Labs researchers have recently observed a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code execution vulnerability tracked as CVE-2023-25717. The activity is associated with a known DDoS botnet tracked as AndoryuBot that first appeared in February 2023. The bot supports multiple DDoS attack techniques and uses SOCKS5 proxies for C2 communications.

The issue affects Ruckus Wireless Admin version 10.4 and earlier used by multiple Ruckus wireless Access Point (AP) devices. A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code and take complete control of a vulnerable device.

Fortinet researchers also reported that a Proof-of-Concept (PoC) code for this vulnerability is publicly available and urges owners to install the patch as soon as possible.

Once compromised a device, the AndoryuBot downloads a script from the URL http[:]//163[.]123[.]142[.]146 for further propagation.

“Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands.” states the report published by Fortinet. “Users should be aware of this new threat and actively apply patches on affected devices as soon as they become available.”

The variant analyzed by the researchers targets multiple architectures, including arm, m68k, mips, mpsl, sh4, spc, and x86.

Once the communication channel has been set up, the client waits for a command from the C2 server to launch a DDoS attack. AndoryuBot supports 12 DDoS attack methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.

Once the bot receives the attack command, it starts a DDoS attack on a specific IP address and port number.

The botnet is advertised on a Telegram channel, below are the prices for DDoS attacks: 

Fortinet published indicators of compromise (IoCs) for recent attacks associated with the botnet.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

Breaking News, Cyber Crime, Malware

Moobot botnet spreads by targeting Cacti and RealTek flaws

The Moobot botnet is actively exploiting critical vulnerabilities in Cacti, and Realtek in attacks in the wild.

FortiGuard Labs researchers observed an ongoing hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.

The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC protocol for C2 communications. The ShellBot performs SSH bruteforce attacks on servers that have port 22 open, it uses a dictionary containing a list of known SSH credentials.

The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Since September 2022, Moobot botnet was spotted targeting vulnerable D-Link routers.

The CVE-2021-35394 flaw is an arbitrary command injection vulnerability that affects UDPServer due to insufficient legality detection on commands received from clients.

The CVE-2022-46169 flaw is a command injection vulnerability that can be exploited by an unauthenticated user to execute arbitrary code on a server running Cacti. The vulnerability resides in the “remote_agent.php” file, which can be accessed by an unauthenticated user.

“The script file to further download Moobot is shown below. It executes the Moobot with the parameter realtek.<Filename>.” reads the report published by FortiGuard Labs. “Like most Mirai variants, it has an encrypted data section with a botnet configuration.”

Figure 5: Script file for downloading Moobot

Experts also observed attacks carried out by the ShellBot botnet since January and primarily targeted Cacti vulnerability. The researchers identified three ShellBot variants, tracked as viz. PowerBots (C) GohacK, LiGhT’s Modded perlbot v2, and B0tchZ 0.2a.

The three variants can launch distributed denial-of-service (DDoS) attacks, PowerBots (C) GohacK and B0tchZ 0.2a also support backdoor capabilities.

“Over the past few months, threat actors have been spreading ShellBot and Moobot malware on exploitable servers. Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server. Because Moobot can kill other botnet processes and also deploy brute force attacks, administrators should use strong passwords and change them periodically. Moreover, some of the ShellBot variants can install other malware from their C2 server.” concludes the report. “The vulnerabilities mentioned above have a critical security impact that can lead to remote code execution. Therefore, it is highly recommended that patches and updates be applied as soon as possible.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moobot botnet)

Breaking News, Cyber Crime, Hacking, Malware

HinataBot, a new Go-Based DDoS botnet in the threat landscape

A new Golang-based DDoS botnet, tracked as HinataBot, targets routers and servers by exploiting known vulnerabilities.

Akamai researchers spotted a new DDoS Golang-based botnet, dubbed HinataBot, which has been observed exploiting known flaws to compromise routers and servers.

The experts reported that the HinataBot bot was seen being distributed since the beginning of 2023 and its operators are actively updating it.

The name “Hinata” comes after a character from the popular anime series, Naruto.

Akamai’s SIRT recently discovered the new bot within HTTP and SSH honeypots, it stood out due to its large size and the lack of specific identification around its newer hashes.

The sample captured by the experts abuses old vulnerabilities and weak credentials, the researchers reported that it attempts to exploit flaws in the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A). 

HinataBot supports multiple methods of communication, including both dialing out and listening for incoming connections. The botnet can launch distributed denial-of-service (DDoS) flooding attacks that relies on protocols such as HTTP, UDP, TCP, and ICMP to send traffic. However, the latest version of HinataBot only supports HTTP and UDP attacks.

Akamai said that by reverse engineering the bot and imitating the command and control (C2) server, was able to test the offensive capabilities of the botnet by running two attack methods (HTTP and UDP) in a 10-second period.

“The http_flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The request sizes ranged from 484 to 589 bytes per request, with sizes varying mostly due to randomization of User-Agent and Cookie header data.” reads the report published by Akamai. “The udp_flood generated 6,733 packets for a total of 421 MB of packet capture data over the wire. There isn’t much else that’s interesting about this attack: it is volumetric in nature and seems to do a decent job of pushing volume.”

Test results show that a botnet composed of just 1,000 nodes can carry out a UDP flood that would weigh in at around 336 Gbps per second. A botnet of 10,000 nodes (which is roughly 6.9% of the size of Mirai at its peak) can generate a UDP flood that would weigh in at more than 3.3 Tbps. The HTTP flood at 1,000 nodes would generate roughly 2.7 Gbps and more than 2 Mrps, while with 10,000 nodes, those numbers jump to 27 Gbps delivering 20.4 Mrps.

HinataBot is the last bot in order of time to join the ever-growing list of emerging Go-based bots after GoBruteforcer and KmsdBot.

“The HinataBot family relies on old vulnerabilities and brute forcing weak passwords for distribution. This is yet another example of why strong password and patching policies are more critical than ever.” concludes Akamai that also privided Indicators of Compromise and YARA rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HinataBot)

Breaking News, Cyber Crime, Hacking, Malware

Golang-Based Botnet GoBruteforcer targets web servers

A recently discovered Golang-based botnet, dubbed GoBruteforcer, is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services

Researchers from Palo Alto Networks Unit 42 recently discovered a Golang-based botnet, tracked as GoBruteforcer, which is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services.

In order to compromise a target system, the samples require special conditions on it, such as the use of specific arguments and targeted services already being installed (with weak passwords).

GoBruteforcer targets all IP addresses within a chosen Classless Inter-Domain Routing (CIDR) block, then attempt to compromise the identified servers with brute force attacks. The botnet uses a multiscan module to scan for the hosts inside a CIDR for its attack.

Once the multi-scan module has identified open ports for targeted services, it performs a brute-force attack against the server using a set of credentials.

The botnet targets x86, x64 and ARM processor architectures, experts noticed that it relies on an internet relay chat (IRC) bot on the victim server to communicate with the attacker’s server.

“Once a host is found, GoBruteforcer tries to get access to the server via brute force. After achieving access, GoBruteforcer deploys an IRC bot containing the attacker’s URL.” reads the analysis published by Palo Alto Networks. “Later, GoBruteforcer also tries to query the victim system using a PHP web shell.”

Unit 42 has yet to determine the initial vector of the GoBruteforcer and the PHP web shell campaign is still unknown.

The researchers believe that the botnet is in active development, the bot samples analyzed by Palo Alto Networks are packed with UPX Packer.

The experts reported that the bot scans for any open port 80 to target phpMyAdmin services. For MySQL and Postgres services, the malware scans for open ports 3306 and 5432, then pings the host’s database with a certain username and password. When targeting FTP services, the malware checks for open port 21, and then attempts to authenticate using the Goftp library, which is an FTP client package for Golang.

“Malware like GoBruteforcer takes advantage of weak (or default) passwords.” Palo Alto Networks concludes. “The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network. GoBruteforcer also seems to be in active development, so attackers could change the techniques they use to target web servers in the near future.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Breaking News, Cyber Crime, Hacking, Malware

Prometei botnet evolves and infected +10,000 systems since November 2022

A new version of the Prometei botnet has infected more than 10,000 systems worldwide since November 2022, experts warn.

Cisco Talos researchers reported that the Prometei botnet has infected more than 10,000 systems worldwide since November 2022. The crypto-mining botnet has a modular structure and employs multiple techniques to infect systems and evade detection.

The Prometei botnet was first observed by Cisco Talos experts on July 2020. A deep investigation on artifacts uploaded on VirusTotal allowed the experts to determine that the botnet may have been active at least since May 2016. Experts pointed out that the malware has constantly been updated by its creators with the implementation of new modules and features.

Now Talos confirms that the Prometei botnet continues to improve modules and exhibits new capabilities in recent updates.

“More specifically, the botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods.” reads the post published by Cisco Talos. “We assess with high confidence that v3 of the Prometei botnet is of medium size, with more than 10,000 infected systems worldwide, based on data obtained by sinkholing the DGA domains over a period of one week in February 2023.”

The latest version supports previously undocumented functionalities, such as an alternative C2 domain generating algorithm (DGA), and a self-updating mechanism. The new variant also bundles version of the Apache Webserver with a web shell that’s deployed onto victim hosts.

The experts also noticed that the only excluded country in the Tor configuration is Russia, operators avoided exit nodes in other CIS countries.

The bot infected systems from 155 countries, most of the victims were observed in Brazil, Indonesia, and Turkey.

Russia only accounted for 0.31 percent of all infected systems, supporting the Talos assessment of the bot’s targeting being influenced by the Russia-Ukraine conflict based on its Tor configuration.

The attack chain commences by executing a PowerShell command that downloads the bot from a remote server. Then the main module retrieves the actual crypto-mining payload and other modules, it also establishes persistence on the infected systems and ensure C2 communications.

“A firewall rule named “Secure Socket Tunneling Protocol (HTTP)” is executed through the “netsh” command to add “C:\Windows\sqhost.exe” to the allowed programs list.” reads the report published by Talos. “Persistence is obtained by creating an automated system service named “UPlugPlay,” which executes sqhost.exe with the argument “Dcomsvc”. The original downloaded file is then renamed from “zsvc.exe” to “sqhost.exe.”

Some of the additional components that can be downloaded from the main module allow the bot to propagate through Server Message Block (SMB), Remote Desktop Protocol (RDP), and Secure Shell (SSH).

“Talos identified new Prometei TTPs that expand the botnet’s capabilities and, at the time of writing, have yet to be highlighted in open-source reporting.” concludes the report. “This recent addition of new capabilities aligns with threat researchers’ previous assertions that the Prometei operators are continuously updating the botnet and adding functionality.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Breaking News, Cyber Crime, Hacking, Malware

The number of devices infected by the MyloBot botnet is rapidly increasing

Researchers warn that the MyloBot botnet is rapidly spreading and it is infecting thousands of systems worldwide.

The MyloBot botnet has been active since 2017 and was first detailed by cybersecurity firm Deep Instinct in 2018. MyloBot is a highly evasive Windows botnet that supports advanced anti-analysis techniques.

The first sample of the bot analyzed by the experts (dated October 20, 2017) had three different stages.

Since November 2018, BitSight researchers started sinkholing the botnet. In 2018, the botnet’s proxy sample contained a lot of hardcoded DGA domains, allowing the researchers to track almost any bot. The researchers discovered that it reached a maximum of 250,000 unique daily infected machines at the beginning of 2020.

The latest version of the botnet, which appeared in early 2022, doesn’t contain hardcoded DGA domains, for this reason, the experts were not able to get a complete estimation of the number of infected systems.

Then the experts started monitoring Mylobot downloader’s domains to observe the botnet evolution. They also noticed a link between the Mylobot and the residential proxy service BHProxies, a circumstance that indicates that the compromised machines are being used by the latter.

Researchers warn that the botnet is rapidly growing, they observed it is infecting thousands of systems worldwide.

“We are currently seeing more than 50,000 unique infected systems every day, but we believe we are only seeing part of the full botnet, which may lead to more than 150,000 infected computers as advertised by BHProxies’ operators.” reads the report published by Bitsight.

Most of the infections were observed in India, followed by the US, Indonesia, and Iran.

Additional details, including indications of compromise (IoCs) are reported in the analysis published by the experts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MyloBot botnet)

Breaking News, Cyber Crime, Hacking, Internet of Things, Malware

Mirai V3G4 botnet exploits 13 flaws to target IoT devices

During the second half of 2022, a variant of the Mirai bot, tracked as V3G4, targeted IoT devices by exploiting tens of flaws.

Palo Alto Networks Unit 42 researchers reported that a Mirai variant called V3G4 was attempting to exploit several flaws to infect IoT devices from July to December 2022. 

Below is the list of vulnerabilities exploited by V3G4:

The threat actors’ goal is to infect the largest number of systems as possible to compose a botnet that can be used to conduct multiple attacks, including DDoS attacks.

The researchers have observed three different Mirai V3G4 campaigns likely operated by the same threat actor for the following reasons:

  • The hardcoded command and control (C2) domains among these three campaigns contain the same string (8xl9)
  • The malware shell script downloaders are almost identical between the three campaigns
  • The botnet client samples use the same XOR decryption key
  • The botnet client samples use the same “stop list” (a list of target processes that the botnet client searches for and terminates)
  • The botnet client samples use almost identical functions

The botnet exploited 13 vulnerabilities to achieve remote code execution on vulnerable devices. Upon successful exploitation, the malicious code executes wget and curl utilities to download Mirai bot from attackers’ infrastructure and then execute it.

Upon execution, the bot prints xXxSlicexXxxVEGA. to the console. The experts noticed that V3G4 also supports a function that makes sure only one instance of this malware is executing on the compromised device. If a botnet process already exists, the botnet client will and exit.

The botnet also attempts to terminate a list of processes, included in the hardcoded ‘stop list,’ by checking their names on the infected device.

Unlike most Mirai variants, the V3G4 variant uses different XOR encryption keys for string encryption.

The researchers also noticed that the bot samples from the three campaigns have minor differences. The original Mirai botnet sample spreads itself by brute-forcing weak telnet/SSH credentials, while other variants rely brute-force attacks and embedded exploits to spread.

However, bot samples discovered between September and December 2022 don’t contain the functions of vulnerability exploitation and brute force of credentials.

“The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Once the attacker gains control of a vulnerable device in this manner, they could take advantage by including the newly compromised devices in their botnet to conduct further attacks such as DDoS.” concludes the report. “Therefore, it is highly recommended that patches and updates are applied when possible.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, V3G4)