Botnet Trend Report -2

Botnet Trend Report -2

julho 20, 2020 | Mina Hao

2019 witnessed frequent breakout of cybersecurity events, in which malware played an important role, exhibiting an eye-popping power of destruction with botnets.

At the end of 2018, Driver Talent suffered a supply chain attack as a result of its upgrade channel being planted with a Monero mining trojan, which, once breaking into a computer, would spread laterally via the EternalBlue exploit to infect more computers. The impact of this attack could still be felt in 2019, giving rise to a slew of emergencies.

In early 2019, the banking trojan Emotet, in conjunction with TrickBot, distributed the ransomware Ryuk. The three families worked together to create tertiary payloads against businesses in Europe and the USA. After that, the Emotet family became very active and the number of attacks initiated by it rose sharply.

At the beginning of 2019, the brute-forcing family GoBrut made its debut. In August, it launched bruteforce attacks on tens of thousands of WordPress-powered websites. As the list of compromised targets was published on a publicly accessible server, the event escalated to affect more websites. Through ongoing tracking of GoBrut, NSFOCUS Security Labs found that family was still active, conducting largescale campaigns against website management frameworks such as WordPress and the Secure Shell (SSH) protocol endlessly.

In June 2019, the organization behind the notorious ransomware family GandCrab declared that they would stop updating the malware. Subsequently, Sodinokibi, a successor of GandCrab, got on the stage by sending spam pretending to be an email from DHL International Shipping. According to NSFOCUS Security Labs’ observation, the operator of Sodinokibi uses a more open online communication platform
to facilitate victims’ payment of ransom, showing a high level of industrialization.

In June 2019, while tracking the adware bundling family SoftCNApp, NSFOCUS Security Labs discovered that this family spread malware and was involved in a series of malicious promotional activities, including hijacking browser homepages, promoting other software programs, and displaying pop-ups. This type of malware exhibited a high level of activity, affecting the user experience and at the same time becoming a channel to deliver other malware families.

In August 2019, NSFOCUS Security Labs detected a special variant of the IoT botnet family Mirai. This

variant deploys C&C servers on the dark web and communicates with them via a proxy server. This method, once copied by other Linux/IoT malware families, will constitute a new type of cyber threat.

In September 2019, NSFOCUS Security Labs detected a Monero cryptojacking attack launched by exploiting a vulnerability in Redis. The malicious payload SkidMap used in this attack would replace binaries of multiple common Linux commands and load a malicious driver to avoid detection. This type of attacks, which combines a backdoor and rootkit, improves the anonymity of malware and so is more difficult to detect.

To be continued.