BotNet 2024 2023 2022 2021 2020
New Phorpiex Botnet Variant Steals Half a Million Dollars in Cryptocurrency
20.12.2021 BotNet Thehackernews
Cryptocurrency users in Ethiopia, Nigeria, India, Guatemala, and the Philippines are being targeted by a new variant of the Phorpiex botnet called Twizt that has resulted in the theft of virtual coins amounting to $500,000 over the last one year.
Israeli security firm Check Point Research, which detailed the attacks, said the latest evolutionary version "enables the botnet to operate successfully without active [command-and-control] servers," adding it supports no less than 35 wallets associated with different blockchains, including Bitcoin, Ethereum, Dash, Dogecoin, Litecoin, Monero, Ripple, and Zilliqa, to facilitate crypto theft.
Phorpiex, otherwise known as Trik, is known for its sextortion spam and ransomware campaigns as well as cryptojacking, a scheme that leverages the targets' devices such as computers, smartphones, and servers to secretly mine cryptocurrency without their consent or knowledge.
It's also infamous for its use of a technique called cryptocurrency clipping, which involves stealing cryptocurrency in the process of a transaction by deploying malware that automatically substitutes the intended wallet address with the threat actor's wallet address. Check Point said it identified 60 unique Bitcoin wallets and 37 Ethereum wallets used by Phorpiex.
While the botnet operators shut down and put its source code for sale on a dark web cybercrime forum in August 2021, the command-and-control (C&C) servers resurfaced a mere two weeks later to distribute Twizt, a previously undiscovered payload that can deploy additional malware and function in peer-to-peer mode, thus eliminating the need for a centralized C&C server.
The clipping feature also comes with an added advantage in that, once deployed, it can work even in the absence of any C&C servers and siphon money from victims' wallets. "This means that each of the infected computers can act as a server and send commands to other bots in a chain," Check Point's Alexey Bukhteyev said in a report. "The emergence of such features suggests that the botnet may become even more stable and therefore, more dangerous."
Phorpiex-infected bots have been spotted in 96 countries, topped by Ethiopia, Nigeria, and India. The botnet is also estimated to have hijacked roughly 3,000 transactions with a total value of approximately 38 Bitcoin and 133 Ether. It's, however, worth noting that the botnet is designed to halt its execution should the infected system's locale be defaulted to Ukraine, suggesting that the botnet operators are from the East European nation.
"Malware with the functionality of a worm or a virus can continue to spread autonomously for a long time without any further involvement by its creators," Bukhteyev said. "In the past year, Phorpiex received a significant update that transformed it into a peer-to-peer botnet, allowing it to be managed without having a centralized infrastructure. The C&C servers can now change their IP addresses and issue commands, hiding among the botnet victims."
Attackers Behind Trickbot Expanding Malware Distribution Channels
15.10.21 BotNet Thehackernews
The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti.
The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force.
"These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said.
Since emerging on the threat landscape in 2016, TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while also standing out for its resilience, demonstrating the ability to maintain and update its toolset and infrastructure despite multiple efforts by law enforcement and industry groups to take it down. Besides TrickBot, the Wizard Spider group has been credited with the development of BazarLoader and a backdoor called Anchor.
While attacks mounted earlier this year relied on email campaigns delivering Excel documents and a call center ruse dubbed "BazaCall" to deliver malware to corporate users, recent intrusions beginning around June 2021 have been marked by a partnership with two cybercrime affiliates to augment its distribution infrastructure by leveraging hijacked email threads and fraudulent website customer inquiry forms on organization websites to deploy Cobalt Strike payloads.
"This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," the researchers said.
In one infection chain observed by IBM in late August 2021, the Hive0107 affiliate is said to have adopted a new tactic that involves sending email messages to target companies informing that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers, urging the recipients to click on a link for additional evidence. Once clicked, the link instead downloads a ZIP archive containing a malicious JavaScript (JS) downloader that, in turn, contacts a remote URL to fetch the BazarLoader malware to drop Cobalt Strike and TrickBot.
"ITG23 has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks," the researchers concluded. "This latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware."
Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices
13.10.21 BotNet Thehackernews
Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a "powerful botnet" consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers.
The unnamed individual, from the Ivano-Frankivsk region of the country, is also said to have leveraged the automated network to detect vulnerabilities in websites and break into them as well as stage brute-force attacks in order to guess email passwords. The Ukrainian police agency said it conducted a raid of the suspect's residence and seized their computer equipment as evidence of illegal activity.
"He looked for customers on the closed forums and Telegram chats and payments were made via blocked electronic payment systems," the Security Service of Ukraine (SSU) said in a press statement. The payments were facilitated via WebMoney, a Russian money transfer platform banned in Ukraine.
But in what appears to be a trivial opsec error, the actor registered the WebMoney account with his legitimate address, thus allowing the officials to zero in on his whereabouts.
The development comes weeks after Russian cybersecurity firm Rostelecom-Solar, a subsidiary of the telecom operator Rostelecom, disclosed late last month that it had sinkholed a portion of the Mēris DDoS botnet that's known to have co-opted an estimated 250,000 hosts into its mesh.
By intercepting and analyzing the commands used to control infected devices, the company said it was able to "detect 45,000 network devices, identify their geographic location and isolate them from the botnet." Over 20% of the devices attacked are located in Brazil, followed by Ukraine, Indonesia, Poland, and India.
Mēris Botnet Hit Russia's Yandex With Massive 22 Million RPS DDoS Attack
19.9.21 BotNet Thehackernews
Russian internet giant Yandex has been the target of a record-breaking distributed denial-of-service (DDoS) attack by a new botnet called Mēris.
The botnet is believed to have pummeled the company's web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS), dwarfing a recent botnet-powered attack that came to light last month, bombarding an unnamed Cloudflare customer in the financial industry with 17.2 million RPS.
Russian DDoS mitigation service Qrator Labs, which disclosed details of the attack on Thursday, called Mēris — meaning "Plague" in the Latvian language — a "botnet of a new kind."
"It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign's start or sold on the black market," the researchers noted, adding Mēris "can overwhelm almost any infrastructure, including some highly robust networks […] due to the enormous RPS power that it brings along."
The DDoS attacks leveraged a technique called HTTP pipelining that allows a client (i.e., a web browser) to open a connection to the server and make multiple requests without waiting for each response. The malicious traffic originated from over 250,000 infected hosts, primarily network devices from Mikrotik, with evidence pointing to a spectrum of RouterOS versions that have been weaponized by exploiting as-yet-unknown vulnerabilities.
But in a forum post, the Latvian network equipment manufacturer said these attacks employ the same set of routers that were compromised via a 2018 vulnerability (CVE-2018-14847, CVSS score: 9.1) that has since been patched and that there are no new (zero-day) vulnerabilities impacting the devices.
"Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create," it noted.
Mēris has also been linked to a number of DDoS attacks, including that mitigated by Cloudflare, noting the overlaps in "durations and distributions across countries."
While it's highly recommended to upgrade MikroTik devices to the latest firmware to combat any potential botnet attacks, organizations are also advised to change their administration passwords to safeguard against brute-force attempts.
Chinese Authorities Arrest Hackers Behind Mozi IoT Botnet Attacks
3.9.21 BotNet Thehackernews
The operators of the Mozi IoT botnet have been taken into custody by Chinese law enforcement authorities, nearly two years after the malware emerged on the threat landscape in September 2019.
News of the arrest, which originally happened in June, was disclosed by researchers from Netlab, the network research division of Chinese internet security company Qihoo 360, earlier this Monday, detailing its involvement in the operation.
"Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab, which spotted the botnet for the first time in late 2019.
The development also comes less than two weeks after Microsoft Security Threat Intelligence Center revealed the botnet's new capabilities that enable it to interfere with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking with the goal of redirecting users to malicious domains.
Mozi, which evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper, amassed more than 15,800 unique command-and-control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen's Black Lotus Labs, a number that has since ballooned to 1.5 million, with China and India accounting for the most infections.
Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution.
Now according to Netlab, the Mozi authors also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet's features by following a plug-in like approach to designing custom tag commands for different functional nodes. "This convenience is one of the reasons for the rapid expansion of the Mozi botnet," the researchers said.
What's more, Mozi's reliance on a BitTorrent-like Distributed Hash Table (DHT) to communicate with other nodes in the botnet instead of a centralized command-and-control server allows it to function unimpeded, making it difficult to remotely activate a kill switch and render the malware ineffective on compromised hosts.
"The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended," the researchers cautioned. "Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day."
New ZHtrap botnet uses honeypot to find more victims
18.3.2021 BotNet Securityaffairs
Netlab 360 experts discovered a new Mirai-based botnet dubbed ZHtrap that implements honeypot to find more victims.
Researchers from Netlab 360 discovered a new Mirai-based botnet dubbed ZHtrap that implements honeypot to find more victims.
ZHtrap propagates using four vulnerabilities, experts pointed out that the botnet mainly used to conduct DDoS attacks and scanning activities, while integrating some backdoor features.
ZHtrap prapagates using the following Nday vulnerability:
JAWS_DVR_RCE
NETGEAR
CCTV_DVR_RCE
CVE-2014-8361
ZHtrap supports multiple architectures, including x86, ARM, and MIPS. Compared to Mirai, the ZHtrap botnet presents multiple differences, for example it uses a checksum mechanism for the instructions, in terms of scanning propagation, it added the distinction between real devices and honeypots, the XOR encryption algorithm has been redesigned, and it can turn the compromised device into a simple honeypot and implement a set of process control mechanisms.
Experts noticed that that the bot borrows some implementations of the Matryosh DDoS botnet.
The researchers analyzed multiple samples of the ZHtrap bot and grouped them into 3 versions according to their functions. The version v2 is based on v1 with the addition of vulnerability exploitation, while v3 is based on v2 with the deletion of the network infrastructure.
The ZHtrap botnet used honeypots by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further propagation activities.
“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot.” reads the analysis published by Netlab 360. “Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected IPs are used as targets in its own scanning module”
ZHtrap listens to 23 designated ports and identifies IP addresses that connect to these ports, then it used these IP addresses to attempt to compromise them by exploiting the four vulnerabilities and inject the payload.
Once the bot has taken over the devices, it takes a cue from the Matryosh botnet by using Tor for communications with a C2 infrastructure to download and execute additional payloads.
“Many botnets implement worm-like scan propagation, and when ZHtrap’s honeypot port is accessed, its source is most likely a device that has been infected by another botnet,” conclude the researchers.”This device can be infected, there must be flaws, I can use my scanning mechanism to scan again.This could be a good chance that I can implant my bot samples, and then with the process control function, I can have total control, isn’t that awesome?”
Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices
17.3.2021 BotNet Threatpost
A new Mirai variant is targeting known flaws in D-Link, Netgear and SonicWall devices, as well as newly-discovered flaws in unknown IoT devices.
A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.
Since Feb. 16, the new variant has been targeting six known vulnerabilities – and three previously unknown ones – in order to infect systems and add them to a botnet. It’s only the latest variant of Mirai to come to light, years after source code for the malware was released in October 2016.
“The attacks are still ongoing at the time of this writing,” said researchers with Palo Alto Networks’ Unit 42 team on Monday. “Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.”
Initial Exploit: New and Old Flaws
The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 wireless router exploit (CVE-2019-19356 ).
The botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.
“We cannot say with certainty what the targeted devices are for the unidentified exploits,” Zhibin Zhang, principal researcher for Unit 42, told Threatpost. “However, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.”
The exploits themselves include two RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.
The latter has “been observed in the past being used by [the] Moobot [botnet], however the exact target is unknown,” researchers noted. Threatpost has reached out to researchers for further information on these unknown targets.
Mirai Botnet: A Set of Binaries
After initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware’s infrastructure. The shell script then downloads several Mirai binaries and executes them, one-by-one.
One such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs and startup scripts); creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports (to make remote access to the affected system more challenging for admins); and schedules a job that aims to rerun the lolol.sh script every hour (for persistence). Of note, this latter process is flawed, said researchers, as the cron configuration is incorrect.
Another binary (install.sh) downloads various files and packages – including GoLang v1.9.4, the “nbrute” binaries (that brute-force various credentials) and the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by “nbrute”).
The final binary is called dark.[arch], and is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute-forcing SSH connections using hardcoded credentials in the binary.
Mirai Variants Continue to Pop Up
The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.
Last year, a Mirai variant was found targeting Zyxel network-attached storage (NAS) devices using a critical vulnerability that was only recently discovered, according to security researchers. In 2019, a variant of the botnet was found sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems. And, a 2018 variant was used to launch a series of DDoS campaigns against financial-sector businesses.
Researchers said that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.
“The IoT realm remains an easily accessible target for attackers,” according to Unit 42’s report. “Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.”
New Mirai variant appears in the threat landscape
17.3.2021 BotNet Securityaffairs
Palo Alto researchers uncovered a series of ongoing attacks to spread a variant of the infamous Mirai bot exploiting multiple vulnerabilities.
Security experts at Palo Alto Networks disclosed a series of attacks aimed at delivering a Mirai variant leveraging multiple vulnerabilities.
Below the list of vulnerabilities exploited in the attacks, three of which were unknown issues:
ID Vulnerability Description Severity
1 VisualDoor SonicWall SSL-VPN Remote Command Injection Vulnerability Critical
2 CVE-2020-25506 D-Link DNS-320 Firewall Remote Command Execution Vulnerability Critical
3 CVE-2021-27561 and CVE-2021-27562 Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability Critical
4 CVE-2021-22502 Remote Code Execution Vulnerability in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40 Critical
5 CVE-2019-19356 Resembles the Netis WF2419 Wireless Router Remote Code Execution Vulnerability High
6 CVE-2020-26919 Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability Critical
7 Unidentified Remote Command Execution Vulnerability Against an Unknown Target Unknown
8 Unidentified Remote Command Execution Vulnerability Against an Unknown Target Unknown
9 Unknown Vulnerability Vulnerability Used by Moobot in the Past, Although the Exact Target is Still Unknown Unknown
“The attacks are still ongoing at the time of this writing. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.” reads a post published by Palo Alto Networks’ Unit 42.
The attacks were first observed on February 16, experts noticed that upon successful exploitation, the malicious code uses the wget utility to download a shell script from the C2. The shell script downloads several Mirai binaries that were compiled for different architectures, then it executes these binaries one by one.
Experts noticed that the malware also downloads more shell scripts that retrieve brute-forcers that could be used to target devices protected with weak passwords.
“The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,” the researchers conclude.
New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild
17.3.2021 BotNet Thehackernews
Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems.
"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers," Palo Alto Networks' Unit 42 Threat Intelligence Team said in a write-up.
The rash of vulnerabilities being exploited include:
VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
CVE-2020-25506 - a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
CVE-2021-27561 and CVE-2021-27562 - Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
CVE-2021-22502 - an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
CVE-2019-19356 - a Netis WF2419 wireless router RCE exploit, and
CVE-2020-26919 - a Netgear ProSAFE Plus RCE vulnerability
Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with MooBot.
The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.
Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.
"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences," the researcher said.
New ZHtrap Botnet Traps Victims Using a Honeypot
In a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as Matryosh.
While honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.
It achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -
MVPower DVR Shell unauthenticated RCE
Netgear DGN1000 Setup.cgi unauthenticated RCE
CCTV DVR RCE affecting multiple vendors, and
Realtek SDK miniigd SOAP command execution (CVE-2014-8361)
"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features," the researchers said. "Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device."
Once it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.
Noting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an "interesting" evolution of botnets to facilitate finding more targets.
"Many botnets implement worm-like scan propagation, and when ZHtrap's honeypot port is accessed, its source is most likely a device that has been infected by another botnet," the researchers speculated about the malware's authors. "This device can be infected, there must be flaws, I can use my scanning mechanism to scan again.This could be a good chance that I can implant my bot samples, and then with the process control function, I can have total control, isn't that awesome?"
TrickBot Takes Over, After Cops Kneecap Emotet
12.3.2021 BotNet Threatpost
TrickBot rises to top threat in February, overtaking Emotet in Check Point’s new index.
A massive malicious spam campaign, along with the global takedown of Emotet, has vaulted the TrickBot trojan to the top of the Check Point’s list of the most popular malware among cybercriminals for February.
In January, TrickBot was ranked third on Check Point’s list, and it was fourth overall for 2020, while the No. 1 malware, Emotet, remained ascendant. But following the worldwide law-enforcement effort to take down Emotet in January, cybercriminals have pivoted to TrickBot, the report explained. Both strains are most often used as first-stage loaders for fetching additional malware.
“Even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have robust security systems in place to prevent their networks from being compromised and minimize risks,” according to the Check Point report.
However, TrickBot hasn’t quite reached the same level of success as Emotet enjoyed before the crackdown, Check Point’s Omer Dembinsky told Threatpost.
“Although we still do not see another single threat reaching the scale of Emotet’s activity, the overall variety and volume of possible threats continues to pose an extremely high risk on networks and devices, and we have no doubt that the void left by Emotet’s takedown will be filled,” he said.
TrickBot Spam Campaign
TrickBot was used in a spam campaign in February targeting users working in the insurance and legal industries, which tried to get them to click on a malicious .ZIP archive, the report added. Cybercriminals likely picked TrickBot as their new tool of choice because of its record of success with other high-profile campaigns, like the 2020 attack on Universal Health Services, which used the malware to exfiltrate stolen data and deliver Ryuk ransomware to the system, Check Point added.
It’s flexibility is another aspect of TrickBot which makes it an attractive choice for cybercriminals, Check Point reported.
First developed in 2016 as banking trojan, TrickBot’s hallmark is its ability to evolve modularly to improve its capabilities and evade detection. Last December, a new module of TrickBot called “TrickBoot” emerged that allowed it to inspect UEFI/BIOS firmware of the targeted systems.
TrickBot Disrupted, But Recovered
TrickBot was also seriously disrupted by take-down action led by Microsoft last October in an effort to curb its spread.
“We disrupted TrickBot through a court order we obtained, as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Tom Burt, corporate vice president, Customer Security & Trust, at Microsoft, at the time. “We have now cut off key infrastructure, so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
Clearly, TrickBot was able to not just recover, but return with a vengeance.
The second-most popular malware among threat actors in February, according to Check Point, was XMRing, which is currently being used in a campaign using a fake ad blocker to deliver both the XMRing cryptominer, as well as ransomware, for a double-whammy attack. In total, the XMRing cryptominer/ransomware attack has infected more than 20,000 users in the past two months, Kaspersky warned in a recent report.
Top Vulnerabilities, Mobile Threats
The most exploited vulnerability for February was “Web Server Exposed Git Repository Information Disclosure,” which impacted 48 percent of organizations globally, Check Point’s report said. Second was “HTTP Headers Remote Code Execution (CVE-2020-13756),” which impacted 46 percent of worldwide orgs, and “MVPower DVR Remote Code Execution” was third, affecting 45 percent.
Source: Check Point
No. 1 on the mobile malware list is Hiddad, followed by xHelper malicious app with ad stuffer and the FurBall mobile remote access trojan (MRAT).
Besides regular patching and updates to protect from known vulnerabilities, Check Point recommends user training as the best means of protecting any organization from cybersecurity breaches.
“Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails which spread Trickbot and other malware,” Check Point said.
D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant
6.3.2021 BotNet Threatpost
A new variant of the Gafgyt botnet – that’s actively targeting vulnerable D-Link and Internet of Things devices – is the first variant of the malware to rely on Tor communications, researchers say.
Researchers have discovered what they say is the first variant of the Gafgyt botnet family to cloak its activity using the Tor network.
Gafgyt, a botnet that was uncovered in 2014, has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. Researchers first discovered activity from the newest variant, which they call Gafgyt_tor, on Feb. 15.
In order to evade detection, Gafgyt_tor uses Tor to hide its command-and-control (C2) communications, and encrypts sensitive strings in the samples. The use of Tor by malware families is nothing new; however, researchers said they haven’t seen Gafgyt leveraging the anonymity network until now.
“Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,” said researchers with NetLab 360 on Thursday. “The Tor-based C2 communication mechanism has been seen in other families we have analyzed before… but this is the first time we encountered it in the Gafgyt family.”
Gafgyt_tor Botnet: Propagation and New Functionalities
The botnet is mainly propagated through weak Telnet passwords – a common issue on internet of things devices – and through exploiting three vulnerabilities. These vulnerabilities include a remote code execution flaw (CVE-2019-16920) in D-Link devices; a remote code execution vulnerability in Liferay enterprise portal software (for which no CVE is available); and a flaw (CVE-2019-19781) in Citrix Application Delivery Controller.
Researchers said that the code structure of Gafgyt_tor’s main function – which adds the Tor proxy function to provide the IP server’s address – shows widespread changes.
“The original initConnection() function, which is responsible for establishing the C2 connection, is gone, replaced by a large section of code responsible for establishing the Tor connection,” they said.
New Tor Capabilities, Commands
Within this large section of code exists tor_socket_init, a function that is responsible for initializing a list of proxy nodes with IP addresses and a port. Researchers said that over 100 Tor proxies can be built in in this way – and new samples are continually updating the proxy list.
Gafgyt Tor Botnet
The new versus old code structure for the Gafgyt variant. Credit: NetLab 360
“After initializing the proxy list, the sample will select a random node from the list to enable Tor communication via tor_retrieve_addr and tor_retrieve_port,” said researchers.
After it establishes a connection with the C2, the botnet requests wvp3te7pkfczmnnl.onion through the darknet, from which it then awaits commands.
“The core function of Gafgyt_tor is still DDoS attacks and scanning, so it mostly follows the common Gafgyt directive,” said researchers. They noted, a new directive called LDSERVER has been added to the botnet, which allows the C2 to quickly specify servers from which the payloads are downloaded. This allows attackers to quickly switch courses should an attacker-owned download server be identified and blocked, said researchers.
“This directive means that C2 can dynamically switch download servers, so that it can quickly switch to a new download server to continue propagation if the current one is blocked,” said researchers,
Links to Freak Threat Actor, Other Botnets
Researchers said that the variant shares the same origin with the Gafgyt samples distributed by a threat group that NetLab 360 researchers call the keksec group, and that other researchers call the Freak threat actor. They said, the keksec group reuses code and IP addresses between various other bot families, including the Tsunami botnet as well as the Necro botnet family uncovered in January.
“We think that Gafgyt_tor and Necro are very likely operated by the same group of people, who have a pool of IP addresses and multiple botnet source codes, and have the ability of continuous development,” said researchers. “In actual operation, they form different families of botnets, but reuse infrastructure such as IP address.”
Other Gafgyt Botnet Variants
Gafgyt.tor is only the latest variant of the popular botnet to come to light. In 2019, researchers warned of a new Gafgyt variant adding vulnerable IoT devices to its botnet arsenal and using them to cripple gaming servers worldwide.
In 2018, researchers said they discovered new variants for the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; as well as a separate attack actively launching two IoT/Linux botnet campaigns, exploiting the CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers.
More recently, last year a botnet called Hoaxcalls emerged, as a variant of the Gafgyt family. The botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager.
Supermicro, Pulse Secure Respond to Trickbot's Ability to Target Firmware
6.3.2021 BotNet Securityweek
Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware.
In early December, security researchers at Advanced Intelligence (AdvIntel) and enterprise device security firm Eclypsium revealed that Trickbot not only survived a takedown attempt, but also gained the ability to scan UEFI/BIOS firmware for vulnerabilities that would allow making modifications.
Referred to as Trickboot, the ability would enable TrickBot operators to use firmware implants and backdoors in their attacks, control the boot operations to fully control systems, or even start bricking devices, the researchers warned at the time.
“TrickBoot is a new functionality within the TrickBot malware toolset capable of discovering vulnerabilities and enabling attackers to read/write/erase the device’s BIOS,” Supermicro notes in an advisory published this week.
The malware can check if the BIOS control register is unlocked and if modifications could be made to the BIOS region contents, and then implant malicious code that would survive OS reinstalls.
Supermicro said the vulnerability affects a subset of the X10 UP motherboards and that a mitigation will be provided. However, only products that have not reached end of life (EOL) will automatically receive the BIOS update. Patches for EOL products will be provided at request.
“A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device,” Pulse Secure notes in its advisory.
The company says that only two of its device models are affected, namely PSA-5000 and PSA-7000. Patches are available for Pulse Connect Secure / Pulse Policy Secure and are pending release for Pulse One (the on-prem appliance only).
Yeezy Fans Face Sneaker-Bot Armies for Boost ‘Sun’ Release
27.2.2021 BotNet Threatpost
Sneaker bots ready to scoop up the new Yeezy Boost 700 “Sun” shoes to resell at a huge markup.
Shopping bots are likely to make it tough for everyday sneakerheads to get their hands on a pair of new Adidas Yeezy Boost 700 “Sun” shoes from Kanye West when they are available through retailers on Saturday, Feb. 27.
Researchers at Cequence Security track bots across the internet, and the company’s hacker-in-residence, Jason Kent, told Threatpost that sneaker bots are plaguing new shoe releases, like the Adidas Yeezys, and creating legions of frustrated customers who can’t get new products.
While regular shoppers are stuck working through a retailer’s web interface, Kent said these sneaker bots get in through the site’s API, a much more efficient route to scoop up product. The sheer numbers of these bots, which can be deployed by the thousands and automated to buy the shoes, also make them formidable opponents.
Sneaker Bots Are Cheap, Easy to Get
And the technology is easy to get. Sneaker-bot software provider KodaiAIO currently shows it’s “sold out” but is priced at $175 for two months and $59.99 per month after that.
These unreleased Yeezys are already listed on eBay for more than double their retail price.
KodaiAOI comes with an online dashboard for easy use and promises to “restock” its offering once a month. The software said it’s goal is to keep the user from ever missing another sneaker release, and will even organize sneaker shoppers into teams for maximum impact.
There are many other versions of sneaker-bot software out there for sale, like CopSupply, and a whole Copping Sneakers Starter Kit to get started that costs $499 per year.
That might seem a little steep, but reselling these limited release shoes is big business, which Kent said totals in the billions of dollars every year. He added that the resell price on sought-after sneakers is usually about twice the retail price.
“There are 15-year-old kids making $200,000 out of their garage selling sneakers,” Kent said.
Yeezys Already Marked Up for Resale
The upcoming Yeezy 700 “Suns” retail for $240 but resellers already have listings on eBay priced at $670 and up.
But Kent has good news for sneakerheads: He predicts by this time next year, retailers will have to get sneaker bots under control if they want big brands to continue working with them.
And it’s not just shoes — the recent releases of the PS5 and Xbox last fall were marred by armies of bots scooping up all the consoles and reselling at astronomical markups. And Nvidia has tried to thwart some of the bot-buying and resale market for its GPUs: This week’s launch of the GeForce RTX 3060 — a ray-tracing-friendly, advanced gaming graphics chip — also throttles Ethereum mining. It’s a move meant to be a disincentive those catering to cryptomining enthusiasts who are willing to pay astronomical resale prices for the elite processing chips online.
Building consumer frustration is forcing companies to get serious about bot mitigation, Kent explained. “We have made tremendous strides in this space,” he said.
Sneakerhead Tip for Battling Bots
Kent also offered a couple of tips for real live shoppers trying to get their own pair of Yeezy 700 “Sun” sneakers. First, the race is on to get the shoes in an online cart, but if at first they’re not available, just hang out and wait a few minutes, he suggested.
If the bot accounts have trouble with their credit cards and can’t complete the “checkout” phase of the transaction, the inventory is swept out of the carts and made available again.
“Your competition is thousands of fake accounts,” Kent said.
Matryosh DDoS botnet targets Android-Based devices via ADB
5.2.2021 BotNet Securityaffairs
Netlab researchers spotted a new Android malware, dubbed Matryosh, that is infecting devices to recruit them in a distributed denial-of-service (DDoS) botnet.
On January 25, 2021, researchers at 360 netlab detected a suspicious ELF file, initially attributed to Mirai, but that later revealed his nature, a new bot tracked as Matryosh.
“On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirai’s characteristics. This anomaly caught our attention, and after analysis, we determined that it was a new botnet that reused the Mirai framework, propagated through the ADB interface, and targeted Android-like devices with the main purpose of DDoS attacks.” reads the analysis published by the experts.
The Matryosh bot reuses the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android-like devices.
The main purpose of the Android botnet is to carry out DDoS attacks.
The Android Debug Bridge (adb) is a command-line tool that allows developers to communicate with an Android device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.
The ADB could be abused by malware to target Android phones through port 5555. By default, Android has Android Debug Bridge (ADB) option disabled, but often vendors enable it to customize the operating system, then ship the devices with the feature turned on.
Unlike similar threats, Matryosh uses the Tor network to avoid detection.
“The encryption algorithm implemented in this botnet and the process of obtaining C2 are nested in layers, like Russian nesting dolls.For this reason we named it Matryosh.” continues the analysis.
Experts found a similarity of C2 instructions employed by the Moobot threat actor, which continues to be very active in this period.
The Matryosh initially decrypts the remote hostname and uses the DNS TXT request to obtain TOR C2 and TOR proxy, then it connects with the TOR proxy. The bot communicates with TOR C2 through the proxy and waits for commands from the C&C server.
“Matryosh’s cryptographic design has some novelty, but still falls into the Mirai single-byte XOR pattern, which is why it is easily flagged by antivirus software as Mirai; the changes at the network communication level indicates that its authors wanted to implement a mechanism to protect C2 by downlinking the configuration from the cloud, doing this will bring some difficulties to static analysis or simple IOC simulator.” concludes the post.
“However, the act of putting all remote hosts under the same SLD is not optimal, it might change and we will keep an eye on it.”
Beware: New Matryosh DDoS Botnet Targeting Android-Based Devices
5.2.2021 BotNet Thehackernews
A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks.
Called "Matryosh" by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare them into its network.
ADB is a command-line tool part of the Android SDK that handles communications and allows developers to install and debug apps on Android devices.
While this option is turned off by default on most Android smartphones and tablets, some vendors ship with this feature enabled, thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and open the devices directly to exploitation.
password auditor
This is not the first time a botnet has taken advantage of ADB to infect vulnerable devices.
In July 2018, open ADB ports were used to spread multiple Satori botnet variants, including Fbot, and a year later, a new cryptocurrency-mining botnet malware was discovered, making inroads using the same interface to target Android device users in Korea, Taiwan, Hong Kong, and China.
But what makes Matryosh stand out is its use of Tor to mask its malicious activity and funnel commands from an attacker-controlled server through the network.
"The process of obtaining C2 are nested in layers, like Russian nesting dolls," Netlab researchers said.
To achieve this, Matryosh first decrypts the remote hostname and uses the DNS TXT request — a type of resource record — to obtain TOR C2 and TOR proxy. Subsequently, it establishes a connection with the TOR proxy, and communicates with the TOR C2 server through the proxy, and awaits further instructions from the server.
Netlab researchers said the emerging botnet's command format and its use of TOR C2 are highly similar to that of another botnet called LeetHozer that's developed by the Moobot group.
"Based on these considerations, we speculate that Matryosh is the new work of this parent group," the researchers concluded.
TrickBot Continues Resurgence with Port-Scanning Module
3.2.2021 BotNet Threatpost
The infamous malware has incorporated the legitimate Masscan tool, which looks for open TCP/IP ports with lightning-fast results.
The TrickBot trojan is continuing its bounce-back from an autumn takedown, recently adding a network-scanning module that uses the Masscan open-source tool to look for open ports.
Masscan is a mass TCP/IP port scanner, which can scan the entire internet in under five minutes according to its authors, transmitting 10 million packets per second of data from a single machine. The TrickBot module that uses it, dubbed “masrv,” is likely used for network reconnaissance, according to researchers at Kryptos Logic.
The module arrives as either a 32-bit or 64-bit DLL library, depending on the Windows OS version of the victim machine the bot is running on. Once installed, it makes requests to the command-and-control server (C2) for a list of IP address ranges to scan, followed by port range, that it can pass as parameters to Masscan. The C2 also communicates the frequency for sending results and the transmission rate.
“At first, the module makes GET requests for information from the commands ‘freq,’ ‘domains’ and ‘rate,'” Kryptos Logic researchers explained in a Monday blog posting. “If successful, the module executes Masscan’s main function routine, which is compiled within the DLL.”
The Masscan tool has its own network stack, and it requires a low-level packet filter in order to render results, according to the analysis. The TrickBot module looks for NPcap\Packet.dll on Windows machines; and if it’s not present, it makes a request to download the NPcap executable from the C2 which is then silently installed. The Masscan tool also attempts to initialize the network adapter.
If the module discovers any open ports, it sends the results at the frequency, in seconds, determined by the freq value queried at the beginning.
“Results are aggregated by calling a module-specific function from the Masscan function output_report_status which adds discovered ports to a global string,” researchers explained. “These results are posted back (via the 81 message) regularly.”
Anchor/Bazar Tie-Ins
The new module also interestingly contains a C2 communication function for connecting to the Anchor attack framework, and a list of hardcoded IPs which have previously been associated with both Anchor and Bazar 12.
The Anchor malware framework, which dates back to at least 2018, appears to be programmed by TrickBot’s operators, researchers have noted. It’s “an all-in-one attack framework,” made up of various submodules that can help attackers spread laterally on a network (such as the ability to install backdoors). Other cybergangs appear to make use of Anchor as well – last year a TrickBot partnership with the FIN6 financial cybergroup was uncovered; and the North Korea-linked Lazarus Group has also been seen using it.
Bazar meanwhile is a group of malware likely developed by the TrickBot operators that has also been seen being used by a variety of threat actors, such as the Ryuk ransomware gang. It’s a first-stage loader malware that has many variants, including malware families Kegtap, Singlemalt and Winekey.
In June, TrickBot added a Bazar-based module called BazarBackdoor, which is capable of providing full access to an attacker and can be used as a point of entry for any number of attacks.
“In any advanced attack, be it ransomware, industrial espionage or corporate data exfiltration, having this kind of access is essential,” researchers at Panda Security said at the time. “If a cybercriminal manages to install BazarBackdoor on a company’s IT system, it could pose a serious danger, and, given the volume of emails being sent out with this backdoor, this is a widespread threat.”
As for the links between “masrv” and the other two weapons, “It is not uncommon for this actor to be seen sharing code between its toolsets,” Kryptos Logic researchers said. “This new module is an indication of the actor’s continued investment in improving their network reconnaissance toolkit, even after recent disruption efforts.”
TrickBot Bounces Back After Disruption
TrickBot is a malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to add more modules and act as a delivery vehicle for other malware.
Users infected with the TrickBot trojan will see their device become part of a botnet that attackers use to load next-stage malware – researchers called it an “ideal dropper for almost any additional malware payload.” For instance, in one campaign the Emotet trojan loaded TrickBot as a means to deploy Ryuk ransomware.
In October though, TrickBot was dealt a serious blow thanks to a coordinated action led by Microsoft that disrupted the botnet that spreads it. A District Court granted a request for a court order to halt TrickBot’s operations, which Microsoft carried out in concert with other firms, including ESET, Lumen’s Black Lotus Labs, NTT Ltd., Symantec and others.
However, researchers warned at the time that TrickBot’s operators would quickly try to revive their operations – a prediction which quickly came true. According to AdvIntel and Eclypsium, active TrickBot infections only swelled in the two months after the takedown, peaking at up to 40,000 new victims in a single day.
And, in early December, it was seen implementing functionality designed to inspect the UEFI/BIOS firmware of targeted systems – the so-called TrickBoot module.
Experts discovered a new Trickbot module used for lateral movement
2.2.2021 BotNet Securityaffairs
Experts spotted a new Trickbot module that is used to scan local networks and make lateral movement inside the target organization.
Cybersecurity researchers discovered a new module of the Trickbot malware, dubbed ‘masrv’, that is used to scan a local network and make lateral movement inside the target organization.
The masrv module leverage the Masscan open-source utility for local network scanning, it is used to search for other devices with open ports that can be compromised.
Once infected a device, the masrv is used to drop the component and send a series of Masscan commands to scan the local network and send the scan results back to the C2 server.
The bot scans the network for systems with sensitive or management ports left open inside an internal network, then botnet operators can then deploy other modules for lateral movements.
“Recently we have discovered a relatively new module that goes by the name masrv. The module is a network scanner that incorporates the Masscan open-source tool. Additionally, the module contains an unreferenced Anchor C2 communication function and a list of hardcoded IPs which have previously been associated with Anchor and Bazar.” reads the analysis published by Kryptos Logic. “We believe this module is used as one of Trickbot’s network reconnaissance tools to gather more information about the victim’s network.”
The recent module was compiled on December 4, 2020, but experts have yet to observe its use in the wild.
The researchers speculate the module is still under testing, the effort demonstrates that the authors of the malware are improving the Trickbot code after the recent takedown.
Kryptos Logic published a detailed analysis of the new masrv module that also includes indicators of compromise and Yara rules.
Law Enforcement Planning Emotet Cleanup Operation Following Botnet Takedown
29.1.2021 BotNet Securityweek
Following a takedown operation earlier this month, authorities are taking steps towards cleaning up systems infected with the Emotet malware.
One of the most prevalent botnets over the past decade, Emotet has been around since 2014, helping cybercriminals deploy their own Trojans, ransomware, and other types of malware onto compromised machines.
Serving as a malware loader, Emotet has been associated with the distribution of well-known malware families, including TrickBot and Ryuk ransomware, among others.
This week, Europol announced that, as part of an international operation that saw the participation of law enforcement agencies from eight different countries, Emotet’s infrastructure has been dismantled.
Authorities were able to take over the infrastructure, which included hundreds of servers worldwide, used to manage bots, spread Emotet, serve customers, and improve the network's resilience.
The Ukrainian police announced that two suspected Emotet infrastructure operators have been arrested, while other cybercriminals associated with the botnet’s activities have been identified and are being pursued. Emotet’s operators face up to 12 years in prison.
Codenamed LadyBird, the takedown operation also resulted in the seizure of hardware, credit cards, and cash, along with login credentials, keys to encrypted services, and information related to the infected companies. Authorities also identified 600,000 compromised email addresses, with passwords.
“The police have used their hacking powers to penetrate and investigate Emotet's cyber-criminal infrastructure. It was necessary to take action simultaneously in all countries concerned in order to be able to effectively dismantle the network and thwart any reconstruction of it,” the Dutch police said.
Authorities in the Netherlands also reveal that the investigation into Emotet, which started in 2019, has helped identify the various servers used for infrastructure, as well as over 1 million infected machines.
With law enforcement having taken control of the infrastructure, an update is being served to all infected machines, from the Dutch central servers.
“All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined,” the Dutch police said.
No specific timeframe for when the cleanup process will begin has been provided, but a security researcher suggested on Twitter that March 25, 2021, might be the day, based on lines of code found in the update that’s being sent to Emotet bots.
The researcher also discovered that all of the command and control (C&C) server IP addresses that Emotet now uses are located in Germany.
SecurityWeek has contacted the Bundeskriminalamt (BKA), Germany's central criminal investigation agency, for confirmation on the actions taken to clean up the Emotet infections, but hasn’t received a reply yet.
Emotet’s operations, which helped many cybercriminals conduct illicit activities, are estimated to have caused hundreds of millions of dollars in losses. According to Ukrainian authorities, such losses may be in excess of $2.5 billion.
UPDATE: BKA has provided SecurityWeek the following statement:
Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected. An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences. For this purpose, the communication parameters of the software have been adjusted in a way that the victim systems no longer communicate with the infrastructure of the offenders but with an infrastructure created for the seizure of evidence.
UPDATE 2: Cybersecurity firm Team Cymru told SecurityWeek that while it was not involved in this aspect of the operation, it believes that the Emotet cleanup will actually start in April, not March.
"Reports are out showing reverse engineers claim that the replacement binary will uninstall Emotet on March 25. We believe this report contains an error. In many programming languages, the month values start counting at 0, where 0 = January, 1 = February, etc. This maps to April instead of March. The date structure corresponds to 25 April 2021 at noon."
Emotet Takedown Disrupts Vast Criminal Infrastructure; NetWalker Site Offline
28.1.2021 BotNet Threatpost
Hundreds of servers and 1 million Emotet infections have been dismantled globally, while authorities have taken NetWalker’s Dark Web leaks site offline and charged a suspect.
UPDATE
The virulent malware known as Emotet – one of the most prolific malware strains globally – has been dealt a blow thanks to a takedown by an international law-enforcement consortium.
Meanwhile, the NetWalker ransomware has also been subjected to partial disruption, according to the U.S. Department of Justice.
On the Emotet front, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States have worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”
The effort eliminated active infections on more than 1 million endpoints worldwide, they said.
Emotet is a loader-type malware that’s typically spread via malicious emails or text messages. It’s often used as a first-stage infection, with the primary job of fetching secondary malware payloads, including Trickbot, Qakbot and the Ryuk ransomware. Its operators often rent its infrastructure to other crime groups for use in achieving initial access into corporate networks. With an average rate of 100,000 to a half-million Emotet-laden emails sent per day, Europol has dubbed it the “world’s most dangerous malware.”
An Emotet snapshot (click to enlarge). Source: Europol.
“It is a so-called ‘modular malware family’ that can install all kinds of additional malware on systems, steals passwords from browsers and email clients, and is very difficult to remove,” according to an announcement from Dutch police issued on Wednesday. “One of the things that makes Emotet so dangerous is that Emotet opens the door to other types of malware, as it were. Large criminal groups were given access to some of those systems for payment to install their own malware. Concrete examples of this are the financial malware Trickbot and the ransomware Ryuk.”
The infrastructure that international police seized was wide-ranging, authorities said. “Some servers were used to keep a grip on already infected victims and to resell data, others to create new victims, and some servers were used to keep police and security companies at bay,” according to the Dutch police.
An announcement from Europol added, “The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.”
The Dutch authorities also found a database of around 600,000 stolen email addresses with passwords lurking on one of the servers; people can check to see if they’ve been compromised via a special checker website.
Details on how Operation LadyBird specifically worked are scant, but Europol noted: “Law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
Meanwhile, criminal investigations are continuing globally in an effort to track down the individuals responsible for the Emotet scourge, according to Europol.
“The result here is gratifying, but the havoc Emotet wreaked across numberless networks in seven years is alarming,” Hitesh Sheth, president and CEO at Vectra, told Threatpost. “We’ve got to aspire to more international cooperation for cybersecurity plus better response time. None of us know how many malware cousins of Emotet are doing more damage right now, but if each takes seven years to neutralize, we will remain in perpetual crisis.”
Permanent Takedown?
Of course, takedowns are no guarantee that a malware operation will remain permanently disrupted, as demonstrated by the Trickbot operation last fall; after that dismantling effort, Trickbot returned to the scene within two months.
“Unfortunately, with something like Emotet, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever,” said Brandon Hoffman, CISO at Netenrich, speaking to Threatpost. “Certainly the people who operated Emotet, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name Emotet may no longer be used, we should assume core pieces will live on through other tools and methods. There is a lot that we know about Emotet and we can apply those learnings for future defense, ideally providing earlier detection/prevention.”
According to Europol, in this case the agencies were able to seize the assets that would make a comeback possible for the malware’s operators.
“Back-up files were found on a few examined servers,” according to the alert. “With the help of such back-ups, the perpetrators can be operational again relatively quickly if their criminal infrastructure is taken down. The police hope that this operation will make a possible reconstruction of Emotet seriously difficult.”
Stefano De Blasi, threat researcher at Digital Shadows, told Threatpost that this latest Europol operation “holds the promise of having caused severe disruption to Emotet’s networks and command-and-control infrastructure.” He noted, “The ‘new and unique approach’ of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer down time for Emotet.”
Nonetheless, he agreed that it is unlikely that Emotet will cease to exist altogether after this operation.
“Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure – just like the TrickBot operators did.”
Constantly Evolving Emotet
Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, is a top threat, accounting for 30 percent of malware infections worldwide.
It continues to add functionality, such as the ability to spread to insecure Wi-Fi networks that are located nearby to an infected device; the ability to spread via SMS messages; and the use of password-protected archive files to bypass email security gateways.
Palo Alto Networks also reported to CISA last year that researchers are now seeing instances of “thread jacking” – that is, intercepting an existing email chain via an infected host and simply replying with an attachment to deliver the malware to an unsuspecting recipient.
And the threat isn’t limited to desktop computers. Steve Banda, senior manager of security solutions at Lookout, told Threatpost Emotet has gone mobile in the past few months, too.
All of the activity led the Feds in the fall to issue a warning that state and local governments needed to fortify their systems against the trojan.
“Emotet’s relevance on the cyber-threat landscape cannot be overstated,” Digital Shadows’ De Blasi said. “Emotet operators frequently modified the techniques used by this botnet to obfuscate its activity and increase its distribution; social-engineering attacks such as spear-phishing emails containing malicious attachments have been one of the most successful tactics employed by Emotet.”
Possible NetWalker Disruption
Meanwhile, the NetWalker ransomware operation has been impacted by a law enforcement action.
The Dark Web site that the ransomware uses to publish the data it steals during its campaigns is displaying a seizure notice, researchers reported on Twitter early Wednesday. A few hours later, the Justice Department confirmed the seizure (by Bulgarian national police) and also announced federal charges against a NetWalker suspect.
The notice says that the FBI and the national police force of Bulgaria have worked together to sinkhole the sites. The news drew plenty of attention: One person tweeted that she was being taken to a 404 page rather than the legal action notice when trying to access the site, due to demand.
The Feds also seized around a half-million dollars in cryptocurrency extorted by ransom efforts — though they said the suspect, Canadian national Sebastien Vachon-Desjardins, has actually banked closer to $27.6 million over the course of his NetWalker activities.
Emotet Botnet dismantled in a joint international operation
28.1.2021 BotNet Securityaffairs
A global operation of law enforcement has dismantled the infrastructure of the infamous Emotet botnet.
A global operation of law enforcement, lead by Europol, has dismantled the infrastructure of the infamous Emotet botnet.
The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign
Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.
The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).
Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.
At the end of 2020, a large-scale Emotet campaign hit Lithuania, the malware infected the networks of Lithuania’s National Center for Public Health (NVSC) and several municipalities.
“Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.” reads the announcement published by Europol. “This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).”
According to Europol, Emotet’s infrastructure was composed of several hundreds of servers worldwide having different functionalities. The C2 infrastructure allowed operators to manage infected systems that were involved in malware distributions and in the provisioning of malicious services to criminal groups.
Law enforcement agencies and judicial authorities took control of the infrastructure from the inside, and bots are now redirected to the C2 infrastructure under the control of law enforcement.
The Dutch National Police’s as part of the criminal investigation discovered a database containing email addresses, usernames, and passwords stolen by the bots. You can check if your email address is included in the database here.
“As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” continues the press release.
The National Police of Ukraine published a video showing a house search performed by its agents that seized computers, hard drives, and large amounts of money along with gold bars.
Emotet Botnet Disrupted in Global Law Enforcement Operation
28.1.2021 BotNet Securityweek
Authorities have managed to disrupt the infrastructure of the Emotet botnet, as part of an international effort of law enforcement agencies across Europe and North America.
One of the most prevalent botnets over the past decade, Emotet first emerged in 2014 as a banking Trojan, but evolved into a malware downloader used by many cybercriminals looking to spread their malicious payloads.
Emotet has become, as Europol described it, “a primary door opener for computer systems on a global scale,” as its operators were selling access to infected computers to cybercrime groups that engaged in activities such as data theft or extortion.
Using automation, Emotet’s operators were spreading the Trojan via malicious email attachments, leveraging a broad range of lures to trick victims into opening them. Some of the emails were masquerading as invoices and shipping notices, while others featured COVID-19 themes.
Malicious documents attached to the emails or linked to in the message would ask the user to enable macros, which allowed malicious code to run in the background and install Emotet.
Emotet then acted as a loader, as its operators allowed other cybercriminals to rent the botnet to deploy their own malware, including banking Trojans, ransomware, and other malicious applications. The TrickBot Trojan and Ryuk ransomware are known to have been distributed via Emotet.
Emotet’s infrastructure, which included several hundreds of servers worldwide, allowed operators to manage infected computers, spread to new machines, offer services to other criminal groups, and improve the network’s resilience.
In order to take down the botnet, law enforcement and judicial authorities took control of the infrastructure “from the inside,” and infected machines are now redirected to this law enforcement-controlled infrastructure.
Authorities in the Netherlands, France, Germany, the United States, Canada, the United Kingdom, Lithuania, and Ukraine collaborated in this operation, coordinated by Europol and Eurojust.
The Dutch National Police’s investigation into Emotet has led to the discovery of a database of email addresses, usernames, and passwords stolen by the malware. Users can now check if their email address is included in the database.
“As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs),” Europol notes.
A video of a house search performed as part of the operation, which the National Police of Ukraine published on YouTube, shows authorities seizing hard drives, computers, and other equipment, along with large amounts of money and what appear to be gold bars, which clearly shows that Emotet was a highly profitable cybercriminal enterprise.
DanaBot Malware Roars Back into Relevancy
27.1.2021 BotNet Threatpost
Sophisticated and dangerous, DanaBot has resurfaced after laying dormant for seven months.
Researchers are warning that a new fourth version of the DanaBot banking trojan has surfaced after months of mysteriously going quiet. The latest variety, still under analysis by researchers, is raising concerns given the number of past DanaBot effective campaigns.
From May 2018 to June 2020, DanaBot has been a fixture in the crimeware threat landscape, according to Proofpoint, which first discovered the malware in 2018 and posted a debrief on the latest variant Tuesday.
“Starting in late October 2020, we observed a significant update to DanaBot samples appearing in VirusTotal,” wrote Dennis Schwarz, Axel F. and Brandon Murphy, in the collaborative Tuesday report. “While it has not returned to its former scale, DanaBot is malware that defenders should put back on their radar.”
DanaBot the Destructor
DanaBot is a banking trojan that first targeted users in Australia via emails containing malicious URLs. Criminals then developed a second variant and targeted US companies – part of a series of large-scale campaigns. A third variant surfaced in February 2019 that was significantly enhanced with remote command-and-control functionality, according to the ESET researchers who discovered it.
While the most recent fourth version, found by Proofpoint, is unique, it’s unclear from the researcher’s recent report what specific new capabilities, if any, the malware has today. Proofpoint did not reply to press inquiries.
Compared to previous campaigns, the Tuesday report suggests that this most recent variant comes packed mostly with the same deadly arsenal of tools that have come before. Main features include a ToR component to anonymize communications between the bad-guys and an infected hardware.
“As previously reported in DanaBot control panel revealed, we believe DanaBot is set up as a ‘malware as a service’ in which one threat actor controls a global command and control (C&C) panel and infrastructure then sells access to other threat actors known as affiliates,” researchers wrote.
At the DanaBot Core
In general, DanaBot’s multi-stage infection chain starts with a dropper that triggers a cascading evolution of hacks. These include stealing network requests, siphoning off application and service credentials, data exfiltration of sensitive information, ransomware infection, desktop screenshot spying and the dropping of a cryptominer to turn targeted PCs into cryptocurrency worker bees.
With its current analysis, Proofpoint focused on the specific technical changes within the malware’s “Main component.” That facet of the malware included anti-analysis features along with:
Some Windows API functions are resolved at run-time.
When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes.
Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory.
LNK files (or Windows shortcut files) are files created by Windows automatically, whenever a user opens their files. These files are used by Windows for connecting a file type to a specific application used to view or edit digital content.
Incremental Updates Identified
With this new variant, researchers identified several new Affiliate IDs, suggesting that the malware-as-a-service component to DanaBot was very much active and growing. Also flagged were new tactics and techniques for infection.
“Proofpoint researchers were able to narrow down at least one of the DanaBot distribution methods to various software warez and cracks websites that supposedly offer software keys and cracks for a free download, including anti-virus programs, VPNs, graphics editors, document editors, and games,” researchers wrote.
Illicit content or warez tools downloaded from these sites are identified as the initial infection points for this latest fourth variant. One site, promoting a software key generator, bait-and-switched users who thought they were downloading a program crack, but actually the warez file “contained several ‘README’ files and a password-protected archive containing the initial dropper for the malware bundle, ‘setup_x86_x64_install.exe,'” wrote Proofpoint.
“Some of the affiliates that were using [DanaBot] have continued their campaigns using other banking malware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other banking malware, redevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in the threat landscape,” concluded researchers.
New 'FreakOut' Malware Ensnares Linux Devices Into Botnet
21.1.2021 BotNet Virus Securityweek
A recently identified piece of malware is targeting Linux devices to ensnare them into a botnet capable of malicious activities such as distributed denial of service (DDoS) and crypto-mining attacks.
Dubbed FreakOut, the malware is infecting devices that haven’t yet received patches for three relatively new vulnerabilities, including one that was made public earlier this month.
FreakOut, according to cybersecurity firm Check Point, can scan ports, harvest information, create and send data packets, perform network sniffing, and can also launch DDoS and network flooding attacks.
One of the vulnerabilities targeted by the botnet is CVE-2020-28188, an unauthenticated, remote command execution in TerraMaster TOS (TerraMaster Operating System) up to version 4.2.06. TerraMaster is a vendor of network- and direct-attached storage solutions.
The second one is CVE-2021-3007, a deserialization bug in Zend Framework that could lead to remote code execution. The popular collection of libraries for web application development is no longer supported by its maintainer.
FreakOut also targets CVE-2020-7961, a deserialization in Liferay Portal prior to 7.2.1 CE GA2, which could lead to the remote execution of arbitrary code via JSON web services (JSONWS). Liferay Portal is a free, open-source enterprise portal designed for building web portals and sites.
“Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities,” Check Point notes.
Once infected, the devices targeted by FreakOut are abused by the threat actors behind the attack to target more devices and expand the botnet, and further malicious activity, including lateral movement, crypto-mining, and DDoS attacks.
“Our research found evidence from the attack campaign’s main C&C server that around 185 devices had been hacked,” Check Point says.
Over the course of several days in January 2021, Check Point observed more than 380 attack attempts, with North America and Western Europe targeted the most. Finance (26.47%), government (23.53%), and healthcare (19.33%) were the industries affected the most.
FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities
20.1.2021 BotNet Exploit Thehackernews
An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.
The attacks deploy a new malware variant called "FreakOut" by leveraging critical flaws fixed in Laminas Project (formerly Zend Framework) and Liferay Portal as well as an unpatched security weakness in TerraMaster, according to Check Point Research's new analysis published today and shared with The Hacker News.
Attributing the malware to be the work of a long-time cybercrime hacker — who goes by the aliases Fl0urite and Freak on HackForums and Pastebin at least since 2015 — the researchers said the flaws — CVE-2020-28188, CVE-2021-3007, and CVE-2020-7961 — were weaponized to inject and execute malicious commands in the server.
Regardless of the vulnerabilities exploited, the end goal of the attacker appears to be to download and execute a Python script named "out.py" using Python 2, which reached end-of-life last year — implying that the threat actor is banking on the possibility that that victim devices have this deprecated version installed.
"The malware, downloaded from the site hxxp://gxbrowser[.]net, is an obfuscated Python script which contains polymorphic code, with the obfuscation changing each time the script is downloaded," the researchers said, adding the first attack attempting to download the file was observed on January 8.
And indeed, three days later, cybersecurity firm F5 Labs warned of a series of attacks targeting NAS devices from TerraMaster (CVE-2020-28188) and Liferay CMS (CVE-2020-7961) in an attempt to spread N3Cr0m0rPh IRC bot and Monero cryptocurrency miner.
An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel to execute malicious commands.
In FreakOut's case, the compromised devices are configured to communicate with a hardcoded command-and-control (C2) server from where they receive command messages to execute.
The malware also comes with extensive capabilities that allow it to perform various tasks, including port scanning, information gathering, creation and sending of data packets, network sniffing, and DDoS and flooding.
Furthermore, the hosts can be commandeered as a part of a botnet operation for crypto-mining, spreading laterally across the network, and launching attacks on outside targets while masquerading as the victim company.
With hundreds of devices already infected within days of launching the attack, the researchers warn, FreakOut will ratchet up to higher levels in the near future.
For its part, TerraMaster is expected to patch the vulnerability in version 4.2.07. In the meantime, it's recommended that users upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later and laminas-http 2.14.2 to mitigate the risk associated with the flaws.
"What we have identified is a live and ongoing cyber attack campaign targeting specific Linux users," said Adi Ikan, head of network cybersecurity Research at Check Point. "The attacker behind this campaign is very experienced in cybercrime and highly dangerous."
"The fact that some of the vulnerabilities exploited were just published, provides us all a good example for highlighting the significance of securing your network on an ongoing basis with the latest patches and updates."
TeamTNT botnet now steals Docker API and AWS credentials
10.1.2021 BotNet Securityaffairs
Researchers from Trend Micro discovered that the TeamTNT botnet is now able to steal Docker API logins along with AWS credentials.
Researchers from Trend Micro discovered that the TeamTNT botnet was improved and is now able to steal also Docker credentials.
The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The activity of the TeamTNT group has been detailed by security firm Trend Micro, but in August experts from Cado Security discovered that that botnet is also able to target misconfigured Kubernetes installations.
Upon infecting Docker and Kubernetes systems running on top of AWS servers, the bot scans for ~/.aws/credentials and ~/.aws/config that are the paths were the AWS CLI stores credentials and configuration details in an unencrypted file.
The malware deploys the XMRig mining tool to mine Monero cryptocurrency.
The attribution of the recent infections to the TeamTNT is based on its Command and Control URLs, some strings, crypto keys, and the language used on the samples analyzed by Trend Micro.
Compared to past similar attacks, the new samples have been significantly improved.
“The malicious shell script used here was developed in Bash. Compared to past similar attacks, the development technique was much more refined for this script; there were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.” states the report.
The new variant of the bot is also able to collect Docker API credentials using a routine that only checks for credential files on the machine and then exfiltrate them. The new sample includes two new routines.
“The first one requests the AWS metadata service and tries to get the credentials from there. The other one checks the environment variables for AWS credentials; if these are present, they are uploaded to the C&C server.” continues the report.
The new attacks have only been seen targeting container platforms. Experts noticed that the container image that holds all the malicious samples was created recently, the total number of downloads is 2,000.
“The tactics have now evolved exponentially. The malicious scripts are being developed to steal more sensitive data such as credentials. They are now also equipped with other functions, like preparing the environment to make sure it would have resources enough to mine, being stealthy enough to keep mining for as long as possible, and also making sure to leave backdoors in case they need to remotely connect to their targets.” concludes the report.
“Since the attacks are now also looking for Docker credentials, implementing API authentication is not enough. System admins should also make sure that the API is not exposed publicly, and can only be accessed by those who need to.”