Dec 23 2022

KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks

Category: Botnet,DDoSDISC @ 10:33 am

KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks

Researchers from Akamai have continued to study the cryptomining botnet KmsdBot and have looked at its attack flow. It is believed that KmsdBot is a distributed denial of service (DDoS) for hire due to the wide range of companies and regions that were attacked.

“We have continued to analyze and play around with KmsdBot, including modifying the binary and pointing it at our own command and control (C2), which led to us watching the threat actor crash the botnet”, Akamai researchers

Among the major targets were luxury brands and security companies, as well as the game modifications Grand Theft Auto V and Red Dead Redemption 2 and FiveM and RedM.

Asia, North America, and Europe represent the majority of the victims, according to observed IPs and domains.

Launch DDoS Attacks

While analyzing the attack traffic, the first noteworthy attack is referred to as “bigdata” and makes 1 Mb POST requests to the designated port. The payload looks to be garbage even though the Content-Type header says it is URL-encoded.

Researchers say this attack attempts to increase the amount of bandwidth needed to process each request by sending a lot of data in the body of each request. Hence, this is one of the most often used functionalities for this botnet and is a fairly basic feature that almost all DDoS campaigns use.

Also, the TCP protocol’s three-way handshake can be abused by the attacker by utilizing an SYN flood to create half-open connections on several ports. 

This makes it difficult for the target server to handle the volume of traffic and makes it much more difficult for it to discriminate between malicious and legitimate connection requests.

Instead of concentrating on the overall effect of the size of the single packet, there were also some standard HTTP(s) POST and traffic instructions that blend in with standard traffic by closely resembling a normal packet in both size and format.

Here the basic goal of HTTP-based attacks is to send out a lot of packets, which makes it difficult to identify them from legitimate traffic and block them while defending against an attack.

 “After observing this traffic for some time, we can see that after hitting a certain specified packet size, it will start back at a smaller size and grow again, repeating this process over and over”, explains researchers.

Targets Gaming, Luxury Brands, and Even Security Companies

The platforms FiveM and RedM, which are used to host modified “Grand Theft Auto V” and “Red Dead Redemption 2” servers, let server owners make new rules and add new elements to the server that wasn’t in the standalone game.

“A large concentration of targets was located in Asia, North America, and Europe based on the observed IPs and domains”, Akamai

KmsdBot, was intriguing for a few notable reasons: It was written in Go, it had cryptomining functionality, and it had seemingly erratic targets.

Akamai researchers noticed that KmsdBot follows some of the general tendencies, especially in terms of the language used. Malicious code is rapidly being created in a variety of languages, including Go and even compiled Python.

KmsdBot DDoS Botnet

Infosec books | InfoSec tools | InfoSec services

Tags: KmsdBot Botnet

Apr 26 2021

Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet

Category: BotnetDISC @ 1:52 pm

European law enforcement has conducted an operation aimed at performing a mass-sanitization of computers infected with the infamous Emotet Windows malware.

European law enforcement agencies automatically wiped the infamous Emotet malware from infected systems across the world as part of a mass sanitization operation.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure.

The authorities started pushing out a 32-bit payload named “EmotetLoader.dll” to clean up the infected systems, the process was set to trigger itself automatically on April 25, 2021 as confirmed by researchers at Malwarebytes.

Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet

Tags: Emotet

Mar 02 2021

Proliferation of sneakerbots across industries

Category: BotnetDISC @ 11:36 pm

A sneakerbot by any other name

What we are observing now is the increasing proliferation of sneakerbots across all industries. As it currently stands, more than 30% of all internet traffic is generated by unwanted bots, a number which will exceed 50% within the next few years. The rapid digital transformation brought about over the past several years has acted as a catalyst for this substantial growth in synthetic traffic.

Whether they are large, organized groups or DIYers, bot operators leverage automation because it’s cheap, easy to use, generates large amounts of profit, and makes success at scale viable.

Here are some recent examples of sneakerbots being used in different industries:

Proliferation of sneakerbots across industries

Tags: sneakerbots

Feb 26 2021

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack

In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.

The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.

The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.

According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.

Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.

“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Tags: CodeQL, Solorigate compromise

Feb 19 2021

Windows and Linux servers targeted by new WatchDog botnet for almost two years

Category: Botnet,Linux Security,Windows SecurityDISC @ 4:09 pm

Due to the recent rise in cryptocurrency trading prices, most online systems these days are often under the assault of crypto-mining botnets seeking to gain a foothold on unsecured systems and make a profit for their criminal overlords.

The latest of these threats is a botnet named WatchDog. Discovered by Unit 42, a threat intelligence division at Palo Alto Networks, this crypto-mining botnet has been active since January 2019.

Written in the Go programming language, researchers say they’ve seen WatchDog infect both Windows and Linux systems.

The point of entry for their attacks has been outdated enterprise apps. According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:

Windows and Linux servers targeted by new WatchDog botnet for almost two years

Feb 01 2021

Emotet takedown – Europol attacks “world’s most dangerous malware”

Category: Botnet,MalwareDISC @ 11:39 pm

Jan 28 2021

Police Have Disrupted the Emotet Botnet

Category: BotnetDISC @ 12:54 pm

Jan 27 2021

Law enforcement announced global action against NetWalker Ransomware

Category: Botnet,Information Security,RansomwareDISC @ 5:43 pm

A joint operation of U.S. and EU law enforcement authorities allowed the seizure of the leak sites used by NetWalker ransomware operators.

Law enforcement authorities in the U.S. and Europe have seized the dark web sites used by NetWalker ransomware operators. The authorities also charged a Canadian national involved in the NetWalker ransomware operations.

“The Department of Justice today announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” reads the press release published by DoJ.

“NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims.”

The group has been active since 2019, the NetWalker ransomware has been offered with the Ransomware-as-a-Service (RaaS) model.

The list of victims of the group is long, it includes Pakistan’s largest private power company K-ElectricArgentina’s official immigration agency, Dirección Nacional de Migraciones, and the University of California San Francisco (UCSF), the latter paid a $1.14 million ransom to recover its files.

Jan 27 2021

Europol-led op knocks 700 servers offline

Category: BotnetDISC @ 10:54 am

Command ‘n’ control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators’ homes in the Ukraine.

“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” said Europol in a jubilant statement this afternoon.

Police forces from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine all took part in the takedown.

“Analysis of accounts used by the group behind Emotet showed $10.5m being moved over a two-year period on just one Virtual Currency platform,” said Britain’s National Crime Agency, which added: “NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.”

Source: Command ‘n’ control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

Jan 19 2021

FreakOut botnet target 3 recent flaws to compromise Linux devices

Category: BotnetDISC @ 10:26 am

The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the tarted systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaign.

The attacks observed by Check Point aimed at devices that run one of the following products:

  • TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
  • Zend Framework –  a collection of packages used in building web application and services using PHP, with more than 570 million installations
  • Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites

Once infected a device, it will be later used as an attacking platform.

Oct 26 2020

Botnet Infects Hundreds of Thousands of Websites

Category: BotnetDISC @ 9:02 pm

KashmirBlack has been targeting popular content management systems, such as WordPress, Joomla, and Drupal, and using Dropbox and GitHub for communication to hide its presence.

The botnet, dubbed KashmirBlack, uses a modular infrastructure that includes features such as load balancing communications with command-and-control servers and storing files on cloud storage services, such as Dropbox and GitHub, to speed access to any new code updates for the systems infected with the software. The KashmirBlack botnet mainly infects popular CMS platforms, exploiting dozens of known vulnerabilities on targeted servers and performing millions of attacks per day on average, according to a pair of reports published by Imperva researchers today.

Source: Botnet Infects Hundreds of Thousands of Websites

CyberHub Podcast – Practitioner Brief 10-26-20 Emotet upgrades, Kashmirblack & ransomware surge

Oct 12 2020

Microsoft and others orchestrate takedown of TrickBot botnet

Category: BotnetDISC @ 9:41 pm

FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, Symantec, and the Microsoft Defender team participated in the takedown.

Source: Microsoft and others orchestrate takedown of TrickBot botnet | ZDNet

Microsoft takes action against Trickbot ransomware attacks

Tags: botnet, TrickBot

Mar 01 2019

What is a botnet? And why they aren’t going away anytime soon

Category: BotnetDISC @ 11:23 am

A botnet is a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.

Source: What is a botnet? And why they aren’t going away anytime soon

Enter your email address:

Delivered by FeedBurner