A New Botnet Emerges, FreakOut!

 

February 3rd REDSHORT — PRESENTATION of A New Botnet Emerges, FreakOut! Infecting Linux devices to perform various malicious activities. Red Sky Analysts will provide an analysis of the malware's operation, capabilities, and how to defend against it. Join us to find out more: https://attendee.gotowebinar.com/register/3702558539639477516

316K Victims of Smominru Cryptocurrency Mining Botnet

Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism.[1]

As of March 2019, Smominru showed no signs of slowing down.  Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days.  This report provides a high-level overview of the malware installation as well as details on the Smominru infrastructure and botnet.

To read the full article and find an archive of related reporting, follow this link to READBOARD.

WWW.WAPACKLABS.COM

Reaper IoT Botnet Exploits and Mitigations

TLP AMBER ANNOUNCEMENT:

The Reaper IoT is a recently discovered Internet of Things (IoT) botnet that is proving to be more sophisticated and aggressive than the infamous 2016 Mirai IoT botnet. Despite the large botnet size reported by Tenable, there are very few IoT Reaper specimens available on Virus Total and other malware sharing sites. This is important to note as the number of specimens is often a reflection of the amount of infections. For example, there are currently thousands of Mirai specimens as opposed to a few dozen IoT Reaper specimens available. To date, no Distributed Denial of Service (DDoS) attacks have been observed with the IoT Reaper botnet. Wapack Labs analysts are providing this document as a summary of mitigations and indicators for Reaper malware and observed exploits. Wapack Labs recommends testing of all signatures before deployment...READ MORE 

Wapack Labs has cataloged and reported on IoT and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

WWW.WAPACKLABS.COM  

This TLP AMBER report is available only to Red Sky Alliance members. 

Warhorse Botnet and Attack Framework

In August 2017, Wapack Labs uncovered a new botnet leveraging a recently released attack framework dubbed "Warhorse". The bots were observed delivering the GlobeImposter malware to numerous targets including those in the government, military, telecommunications, and energy sectors. Javascript downloaders such as Warhorse have become a popular delivery mechanism for multiple malware campaigns. The speed by which Warhorse was adopted by cyber criminals is notable with the campaign described in this report taking place only a few days after the project appeared on Github. While Warhorse currently has an above average detection ratio on VirusTotal, it is still undetected by several major anti-virus vendors. Furthermore, since it is likely that the delivery infrastructure is part of a larger botnet then there is a high probability the bots are being leveraged in other attacks. This report provides an early warning on this new botnet and details on the Warhorse attack framework...READ MORE

Wapack Labs has cataloged and reported extensively on botnets and malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Nature is Bullet Proof: Dark Cloud

Wapack Labs is researching key components of the Dark Cloud network - including all associated malware to date.  “Dark Cloud” is an infrastructure that encompasses thousands of fast-flux proxy botnets in a ‘bullet proof’ hosting environment, renting thousands of botnets for use in criminal activity to underground users. Roughly 20% of the observed bots were actively leveraged by Dark Cloud. Sality file infector malware was by far the most commonly observed activity and represents a likely propagation mechanism for the botnet...READ MORE

Wapack Labs has cataloged and reported extensively on malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

For Sale: W-2s and the GozNym Botnet

On February 17, 2017 Wapack Analysts observed a deep web market vendor advertising 2016 U.S. W-2’s with dates of birth (DOB) and U.S./EU bank accounts for sale. Additionally, the vendor is also selling the GozNym botnet. The vendor maintains good feedback in deep web markets. GozNym, though underground, received media attention in late September 2016 when CISCO’s Talos team cracked the Domain Generation Algorithm (DGA) of GozNym. This exposure may be the reason for the vendor's current public sale - utilizing dark web market escrow systems. Though the vendor sells on these sites, business is conducted over Jabber/E-Mail using PGP encryption...READ MORE

Wapack Labs has extensively reported on botnets in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

TLP: AMBER

ACTOR TYPE: (III)

SERIAL: IA-004-2017

COUNTRIES: US, EU

INDUSTRIES: Financial

REPORT DATE: 20170221

Russian Hacker Monetizes Traffic

A Russian hacker has been operating in the Russian underground for over 10 years; carrying out activities that range from stealing and distributing credit card data to hacking pharmacy-related websites in order to monetize their traffic. Known actor was observed working with another Russian speaking hacker, which possibly connects actor to the gang that operated several botnets.