Apr 09, 2024NewsroomBotnet / Crypto Mining

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, among others – have been found to communicate via an Undernet IRC channel called #cristi. Also put to use is a mass scanner tool to find new potential hosts.

RUBYCARP’s arrival on the cyber threat scene is not surprising given their ability to take advantage of the botnet to fuel diverse illicit income streams such as crypto mining and phishing operations to steal credit card numbers.

While it appears that the stolen credit card data is used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it in the cyber crime underground.

“These threat actors are also involved in the development and sale of cyber weapons, which isn’t very common,” Sysdig said. “They have a large arsenal of tools they have built up over the years, which gives them quite a range of flexibility when conducting their operations.

Mar 29, 2024NewsroomNetwork Security / IoT Security

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

“TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and, deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.

The attacks entail dropping a loader that’s responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” that’s used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

The targeting of EoL appliances to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It’s also possible that the devices are infiltrated by means of brute-force attacks.

Additional analysis of the proxy network has revealed that more than 30% of the infections lasted for over 50 days, while about 15% of the devices were part of the network for 48 hours or less.

“Faceless has become a formidable proxy service that rose from the ashes of the ‘iSocks’ anonymity service and has become an integral tool for cyber criminals in obfuscating their activity,” the company said. “TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service.”

Feb 16, 2024NewsroomBotnet / Network Security

The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities.

“These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations,” the U.S. Department of Justice (DoJ) said in a statement.

APT28, also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is assessed to be linked to Unit 26165 of Russia’s Main Directorate of the General Staff (GRU). It’s known to be active since at least 2007.

Court documents allege that the attackers pulled off their cyber espionage campaigns by relying on MooBot, a Mirai-based botnet that has singled out routers made by Ubiquiti to co-opt them into a mesh of devices that can be modified to act as a proxy, relaying malicious traffic while shielding their actual IP addresses.

The botnet, the DoJ said, allowed the threat actors to mask their true location and harvest credentials and NT LAN Manager (NTLM) v2 hashes via bespoke scripts, as well as hosting spear-phishing landing pages and other custom tooling for brute-forcing passwords, stealing router user passwords, and propagating the MooBot malware to other appliances.

In a redacted affidavit filed by the U.S. Federal Bureau of Investigation (FBI), the agency said MooBot exploits vulnerable and publicly accessible Ubiquiti routers by using default credentials and implants an SSH malware that permits persistent remote access to the device.

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords,” the DoJ explained. “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”

The APT28 actors are suspected to have found and illegally accessed compromised Ubiquiti routers by conducting public scans of the internet using a specific OpenSSH version number as a search parameter, and then using MooBot to access those routers.

Spear-phishing campaigns undertaken by the hacking group have also leveraged a then-zero-day in Outlook (CVE-2023-23397) to siphon login credentials and transmit them to the routers.

“In another identified campaign, APT28 actors designed a fake Yahoo! landing page to send credentials entered on the false page to a compromised Ubiquiti router to be collected by APT28 actors at their convenience,” the FBI said.

As part of its efforts to disrupt the botnet in the U.S. and prevent further crime, a series of unspecified commands have been issued to copy the stolen data and malicious files prior to deleting them and modify firewall rules to block APT28’s remote access to the routers.

The precise number of devices that were compromised in the U.S. has been censored, although the FBI noted that it could change. Infected Ubiquiti devices have been detected in “almost every state,” it added.

The court-authorized operation – referred to as Dying Ember – comes merely weeks after the U.S. dismantled another state-sponsored hacking campaign originating from China that leveraged another botnet codenamed KV-botnet to target critical infrastructure facilities.

Last May, the U.S. also announced the takedown of a global network compromised by an advanced malware strain dubbed Snake wielded by hackers associated with Russia’s Federal Security Service (FSB), otherwise known as Turla.

Feb 13, 2024NewsroomCryptocurrency / Rootkit

The Glupteba botnet has been found to incorporate a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature, adding another layer of sophistication and stealth to the malware.

“This bootkit can intervene and control the [operating system] boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect and remove,” Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik said in a Monday analysis.

Glupteba is a fully-featured information stealer and backdoor capable of facilitating illicit cryptocurrency mining and deploying proxy components on infected hosts. It’s also known to leverage the Bitcoin blockchain as a backup command-and-control (C2) system, making it resilient to takedown efforts.

Some of the other functions allow it to deliver additional payloads, siphon credentials, and credit card data, perform ad fraud, and even exploit routers to gain credentials and remote administrative access.

Over the past decade, modular malware has metamorphosed into a sophisticated threat employing elaborate multi-stage infection chains to sidestep detection by security solutions.

A November 2023 campaign observed by the cybersecurity firm entails the use of pay-per-install (PPI) services such as Ruzki to distribute Glupteba. In September 2022, Sekoia linked Ruzki to activity clusters, leveraging PrivateLoader as a conduit to propagate next-stage malware.

This takes the form of large-scale phishing attacks in which PrivateLoader is delivered under the guise of installation files for cracked software, which then loads SmokeLoader that, in turn, launches RedLine Stealer and Amadey, with the latter ultimately dropping Glupteba.

“Threat actors often distribute Glupteba as part of a complex infection chain spreading several malware families at the same time,” the researchers explained. “This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.”

In a sign that the malware is being actively maintained, Glupteba comes fitted with a UEFI bootkit by incorporating a modified version of an open-source project called EfiGuard, which is capable of disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.

It’s worth pointing out that previous versions of the malware were found to “install a kernel driver the bot uses as a rootkit, and make other changes that weaken the security posture of an infected host.”

“Glupteba malware continues to stand out as a notable example of the complexity and adaptability exhibited by modern cybercriminals,” the researchers said.

“The identification of an undocumented UEFI bypass technique within Glupteba underscores this malware’s capacity for innovation and evasion. Furthermore, with its role in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization strategies employed by cybercriminals in their attempts at mass infections.”

Jan 17, 2024NewsroomBotnet / Cloud Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for “victim identification and exploitation in target networks.”

A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware inspiring several similar tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator.

The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio.

Some of the notable flaws weaponized by the attackers include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).

“AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of web shells,” Lacework said. “For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute-force attacks.”

These features make AndroxGh0st a potent threat that can be used to download additional payloads and retain persistent access to compromised systems.

The development arrives less than a week after SentinelOne revealed a related-but-distinct tool called FBot that is being employed by attackers to breach web servers, cloud services, content management systems (CMS), and SaaS platforms.

It also follows an alert from NETSCOUT about a significant spike in botnet scanning activity since mid-November 2023, touching a peak of nearly 1.3 million distinct devices on January 5, 2024. A majority of the source IP addresses are associated with the U.S., China, Vietnam, Taiwan, and Russia.

“Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads,” the company said. “These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain.”

Jan 10, 2024NewsroomServer Security / Cryptocurrency

A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.

“The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims,” Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.

There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.

Despite NaoBot’s Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.

“NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are of an SSH scanner or a generic trojan.”

Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.

“The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner,” Kupchik said, highlighting some level of preparedness of the threat actors.

Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.

“The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” Kupchik said. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”