Botnet

NSFOCUS Reveals New Botnet Family RDDoS

January 16, 2024

1. Introduction of the New Botnet RDDoS In early November 2023, NSFOCUS’s Global Threat Hunting System detected that an unknown elf file was spreading widely, which aroused our vigilance. After further analysis, we confirmed that this batch of elf samples belonged to a new botnet family. NSFOCUS Security Research Labs named the botnet Trojan as […]

xorbot: A Stealthy Botnet Family That Defies Detection

December 18, 2023

I. Background of xorbot In November 2023, NSFOCUS Global Threat Hunting System detected that a type of elf file was being widely distributed and accompanied by a large amount of suspected encrypted outbound communication traffic. However, the detection rate of mainstream antivirus engines on this file was close to zero, which aroused our curiosity. After further […]

Mirai Botnet’s New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught

October 3, 2023

I. Abstract In September 2023, NSFOCUS global threat hunting system monitored several new botnet variant families developed based on Mirai, among which hailBot, kiraiBot and catDDoS are the most active, are accelerating their spread, and are widely deployed, which has constituted a considerable threat. Through this article, we will disclose the technical details of these […]

From Ripples to Waves: The Swift Evolution of the “Boat” Botnet

August 18, 2023

The botnet family “Boat” was first discovered by NSFOCUS Security Labs in June 2022. Its name comes from the fact that malicious samples in its early versions propagate with the file name “boat”. At the same time, since some malicious samples in later versions of this family retain symbolic information and there are a large […]

KmsdBot: A Customized Botnet Family with DDoS and Mining Capabilities

Uma imagem que ilustra um hacker mexendo em um notebook.

August 7, 2023

I. Overview NSFOCUS Security Labs recently detected that a new botnet family KmsdBot, which combines DDoS and mining functions, has become active again. Attackers continue to replace C&C infrastructure and update Trojan versions. Compared with the traditional botnet-like family, KmsdBot adopts a brand-new architecture and is developed in the Go programming language. The simplicity, high […]

A New Botnet Family Discovered by NSFOCUS

March 13, 2023

Background Recently NSFOCUS Security Labs detected a batch of suspicious ELF files spreading widely. Further analysis confirmed that these ELF samples belonged to a new botnet family. We named the family “Peachy Botnet” according to the signature information left by the Bot author in the sample. The Peachy Botnet began to spread as early as […]

Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-1

October 16, 2020

Overview

In the distributed denial-of-service (DDoS) botnet activities in 2020 H1, most were from Mirai, Gafgyt, and other major families.

In 2020 H1, DDoS attack means were dominated by UDP floods, CC, and TCP floods.

In 2020 H1, Hostwinds, Digital Ocean, and OVH were the major hosted cloud service providers of C&C servers. We predict that it will remain unchanged in 2020 H2.

In the same period, 128 types of vulnerabilities were detected to be spread and exploited by the Internet of Things (IoT) trojans. Of all these vulnerabilities, CVE-2017-17215 (in Huawei HG532 routers), CVE-2014-8361 (Realtek rtl81xx SDK remote code execution vulnerability), and ThinkPHP remote code execution vulnerability were the most frequently exploited.

Through NSFOCUS’s threat hunting system, we have kept an eye on a botnet specializing in Monero cryptomining for a long time. The botnet intrudes upon hosts by cracking weak passwords and gains control privileges by implanting bot programs. Meanwhile, it downloads and executes Monero cryptomining scripts via the downloader for malicious cryptomining. The cryptomining botnet became increasingly active in 2020 H1, involving a total of 20,830 active bots. China was the country with the most bots, which were as many as 8304, accounting for 40% of the total. Port 22 was opened on 13,664 bots, approximately 66% of all bots. According to known asset intelligence, routers and cameras were dominant device types reduced to bots.

(more…)

Vollgar Botnet Threat Alert

April 14, 2020

Overview

On April 1, the Guardicore Labs team uncovered a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. At least since May 2018, the campaign uses password brute force to breach victim machines, deploys multiple backdoors, and executes numerous malicious modules, such as remote access tools (RATs). We dubbed the campaign Vollgar.

It is not uncommon for attackers to use password brute force to breach systems and then inject malware. However, according to the report, there are still 2000–3000 databases being attacked every day. Victims are distributed in different countries (including China, India, South Korea, Turkey, and the USA) and belong to various industry sectors (including healthcare, aviation, IT, telecommunications, and higher education). (more…)

Technical Analysis Report on Rowdy, A New Type of IoT Malware Exploiting STBs

October 19, 2017

In August 2017, NSFOCUS’s DDoS situation awareness platform detected anoma-lous bandwidth usage over a customer’s network, which, upon analysis, was confirmed to be a distributed denial-of-service (DDoS) attack. The attack was characterized by different types of traffic, including TCP flood, HTTP flood, and DNS flood. Tracing source IP addresses, we found that the attack had […]

Search

Subscribe to the NSFOCUS Blog