Recently NSFOCUS Security Labs detected a batch of suspicious ELF files spreading widely. Further analysis confirmed that these ELF samples belonged to a new botnet family. We named the family “Peachy Botnet” according to the signature information left by the Bot author in the sample.
The Peachy Botnet began to spread as early as August 2021, and has made many fine-tuning in the code structure. The major changes in the multiple versions are reflected in the modification of attack methods. It supports one DDoS attack only in its early version, and the number rises to 4 in its later version. Both versions appear from August 2021 to the middle of September 2021, and have spread to different degrees later.
The Peachy Botnet is spread through Telnet blasting. The affected platforms include arm, spc, ppc, mips and x86 architectures.
The weak password pair used in blasting is typical in the traditional Gafgyt and Mirai botnet families.
We noticed that in telnet blasting, the Peachy Botnet would send the string “PEACH” which can be used as an excellent signature to mark the family and effectively distinguish it from the telnet scanning traffic of traditional botnet families.
- Communication and instructions
In establishing a connection with the control server, the Peachy Botnet will splice the command line parameters as the uplink packet, and splice the “unknown” string when no parameters are passed in.
The flow generated is as follows:
It will check the received return value first. Different functions will be executed according to the return values of the control server. When the return value is 0x104, it will run the download and update functions.
The other way is to perform scan blasting and launch DDoS attacks according to the value of the first byte, as shown below:
When the first byte’s value is 0xF, a DDoS attack is launched. The latest version of the Peachy Botnet supports four common methods of DDoS attacks, including tcp_raw and udpplain.
Since its first discovery, the Peachy Botnet has remained silent and not launched a destructive attack. But recently, it has strengthened its dissemination. The functions of the Peachy Botnet uses are relatively simple, and the file size of each version is only around 60k. However, compared with the Mirai-based and Gafgyt-based variants that appear in large numbers every day, the architecture adopted by the family is relatively new. Its version is constantly updated, and its functions keep improving, so we infer that the Peachy Botnet will remain active for some time.
About NSFOCUS Security Labs
NSFOCUS Security Labs (NSL) is an internationally recognized cybersecurity research and threat response center at the front of vulnerability assessment, threat hunting and mitigation research.