Botnet Trend Report 2019-12

Botnet Trend Report 2019-12

September 28, 2020 | Adeline Zhang

This chapter describes active botnet families under long-term tracking of and other families newly captured by NSFOCUS Security Labs, from the perspectives of their background, activity, and association with other families.

Botnet Families

  • GoBrut

Malware in the GoBrut family, written in Go, made its debut in early 2019, in a bid to detect services on a target website and obtain the login user name and password via brute force attacks. The GoBrut family emerged during an epoch characterized by poor security of website management frameworks (like Magento, WordPress, and Drupal) and ubiquitous weak passwords. After obtaining the user name and password of the target website, the attacker can log in to the website to gain shell privileges for further malicious operations.

Since its emergence, this family has been updated at a steady pace, having more than 10 versions in just one year. Besides, it has shifted its focus from Windows to Linux and launched a slew of attacks in 2019.

As for target types, most of malicious families are currently detected to perform brute-force attacks mainly against remote management protocols and databases. The GoBrut family, however, also hits website management systems.

When it comes to the brute-force attack method, from instructions issued by the C&C server, zombies obtain the designated website domain name and the user name and password to launch distributed attacks. Figure 3-1 and Figure 3-2 illustrate the two types of attacks.

With regard to functions, the GoBrut family neither performs other malicious behaviors than brute-force attacks nor spreads itself, thus merely playing the “pathfinder” role in the kill chain.

In 2019, GoBrut frequently targeted website management systems like Magento, WordPress, and Drupal, as well as SSH. Here is an example: In July and September in 2019, this family launched a massive attack campaign against WordPress-powered websites, compromising tens of thousands of targets. As the victim list was uploaded to the C&C server and publicly accessible, this attack incident was disclosed quickly. Since then, GoBrut deliberately kept a low profile, becoming less conspicuous.

Currently, C&C servers of GoBrut are mostly found in Russia, the Netherlands, and Bulgaria and some reside in Panama and Canada. According to tracking data from NSFOCUS Security Labs, GoBrut
collected data concerning more than 2,000,000 WordPress-powered websites for brute-force attacks in the latter half of 2019, 50% of which have the top-level domain name of .com. We collected statistics on top 50 other domain names than those with .com and got the following distribution of major top-level domain names.

Malicious compromises against lots of WordPress-powered websites are only a small portion of all attack incidents carried out by GoBrut. At present, over 10,000,000 websites are created with WordPress on the Internet which can be easily used as C&C server agents by botnet groups and APT groups for the anti-tracking purpose, making it extremely difficult to conduct attack attribution and cybercrime investigation.

  • Gafgyt

In 2019, Gafgyt remained active. Compared with the previous year, there were 3.9 times as many as new malware and the daily average number of new C&C servers increased by 34.5% in 2019.

In respect of malicious behaviors, the daily average number of DDoS attack instructions of the Gafgyt family rose by 175% to 522 from 2018’s 190. As for attack methods, UDP flood attacks still dominated, targeting HTTP ports 80 and 443 and gaming ports 3074, 30000, 30100, and 30200.

In contrast with 2018, Gafgyt still favored devices and users in North America, Europe, and Australia, hitting those in the USA, Austria, the UK, and the Netherlands most frequently. However, Asia saw a slight decrease in the number of attacks launched by this family in 2019.

In 2019, the Gafgyt botnet had a greater reliance on the cloud/VPS as it used servers from more than 90 cloud/VPS providers. Statistics revealed that providers with cheaper solutions were more valued by attackers.

According to the Gafgyt chatting records, a Gafgyt network administrator configured Gafgyt to scan network devices from Huawei and Zyxel and got 1000 bots the next morning. Compared with conventional Windows/Linux-based botnets, Gafgyt is a lot faster when infecting devices.

Among all exploit modules embedded in the Gafgyt malware, exploit payloads targeting Huawei HG532 routers and Zyxel P660HN routers were used most frequently in 2019.

As Gafgyt malware scans random IP addresses, routers exposed on the public network will be hit and become new scanning nodes immediately as long as they contain vulnerabilities. This leads to the exponential increase in the efficiency of Gafgyt exploits.

Secondly, we found that some Gafgyt perpetrators started to use Perl scripts to aid in attacks in the second half of 2019. More often than not, Gafgyt uses scripts such as,,, and to achieve malicious purposes, like bypass flood attacks and remote command execution.

This finding answers the following question: Why does Gafgyt target an IP address of a cloud provider that provides DDoS protection although it is not complicated enough to carry out customized DDoS attacks? With these custom-made scripts, Gafgyt can bypass DDoS protection policies of certain cloud server providers to launch attacks, without being constrained by programming designs. Therefore, we should be highly alert to this botnet family.

To be continued.