ALERTS BOTNET
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME | CATEGORY | SUBCATE | INFO |
|
27.10.24 | Prometei botnet activity | ALERTS | BOTNET | New Prometei botnet activity has been reported in the wild. The botnet has been historically used mostly for Monero cryptomining operations but with time the attackers behind it updated the botnet capabilities to conduct even more complex attacks, allowing for a full control over the infected machines a well as additional arbitrary payload deployments. Prometei distribution campaigns often leverage exploitation of previously disclosed RCP or SMB vulnerabilities, usage of domain generation algorithm (DGA) mechanisms for C2 communication as well as webshell deployments within the attack chain. |
|
27.10.24 | Gorilla Botnet: A new global threat based on Mirai code | ALERTS | BOTNET | Reports indicate a surge in activity from a new botnet family called Gorilla Botnet, which is targeting telecommunications, universities, and the gaming industry worldwide. This botnet is a modified version of the Mirai source code and is compatible with various CPU architectures, including ARM, MIPS, x86_64, and x86. It boasts advanced DDoS attack methods and employs multiple techniques for persistence. |
31.8.24 | Corona Mirai variant distributed via vulnerability exploitation | BOTNET | Mirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek. The botnet once deployed will attempt to connect additional hosts via open Telnet ports. The dropped payload might be used by the attackers for a wide variety of DDoS attacks or command execution on the affected devices. | |
20.8.24 | New Gafgyt botnet variant observed in the wild | BOTNET | A new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency. | |
8.7.24 | Zergeca: A new Golang botnet with advanced capabilities | ALERTS | BOTNET | A new botnet, dubbed Zergeca and written in Golang, has been observed in the wild. In addition to conducting distributed denial-of-service (DDoS) attacks, the botnet includes several other features such as proxy-based obfuscation. |
| 8.6.24 | Apache RocketMQ targeted in Muhstik botnet campaign | ALERTS | BOTNET | A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. |
30.5.24 | CatDDoS: A rising threat across multiple sectors | ALERTS | BOTNET | A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. Multiple threat actors are employing various CatDDoS variants to target organizations across multiple sectors, including cloud vendors, communication providers, scientific and research entities, and educational institutions. The vulnerabilities exploited under CatDDoS affect numerous products and technologies, such as Jenkins servers, Apache ActiveMQ servers, Apache Log4j, Cisco Linksys, and NetGear routers, among others. |
15.5.24 | Phorpiex botnet distributes LockBit Black Ransomware via email campaign | ALERTS | BOTNET | A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. Phorpiex functions as a Malware-as-a-Service platform and has amassed a significant customer base among threat actors over more than a decade of operation. Since 2018, Phorpiex has been involved in activities such as data exfiltration and ransomware distribution. Despite attempts to disrupt its operations over the years, the botnet continues to persist. |
3.5.24 | Goldoon botnet | ALERTS | BOTNET | According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. This malware targets the exploitation of an old D-Link vulnerability from 2015 - CVE-2015-2051 for its propagation. Goldoon can establish persistence on the affected device and execute commands received from C2 servers. The attackers might use this malware variant to gain control over the infected devices, collect system information as well as perform various forms of distributed denial-of-service (DDoS) attacks. |
| 26.3.24 | Emergence of Mirai Nomi in the Threat Landscape | ALERTS | BOTNET | A new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats. |