BuleHero botnet found scanning the internet to infect systems with XMRig miner and Gh0st RAT

  • To initiate the infection process, the botnet actively scans for IP addresses with ports 80 and 3389.
  • It then uses Mimikatz to dump passwords from infected hosts into a Results.txt file.

BuleHero botnet derives its name from the domain bulehero[.]in found in its binary. The botnet leverages a variety of web exploits to intrude into unpatched web servers. It also contains several other exploits to spread across the network.

What does the finding say?

Lately, researchers from ZScaler have uncovered that the botnet is increasingly moving across networks to distribute two payloads - the XMRig miner and Gh0st RAT.

To initiate the infection process, the botnet actively scans for IP addresses with ports 80 and 3389. It then uses Mimikatz to dump passwords from infected hosts into a Results.txt file.

These dumped passwords are provided to PsExec and WMIC tools to help the malware to spread to other machines on the network and spread the two malicious payloads.

As a part of the infection process, the botnet tries to bypass the security measures on the system like firewalls. Researchers note, “The botnet first deletes all the firewall rules and later it adds a few in order to enable access to the NetBIOS and SMB protocol.”

A brief about exploits

Some of the web application vulnerabilities that BuleHero botnet includes in its exploit list are:

  • Apache Tomcat PUTs vulnerability (CVE-2017-12615)
  • Apache Struts RCE vulnerability (CVE-2017-5638)
  • Oracle WebLogic server vulnerability (CVE-2018-2628)
  • WebLogic Deserialization RCE vulnerability (CVE-2019-2725)
  • Oracle WebLogic Server vulnerability (CVE-2017-10271)
  • ThinkPHP v5 Remote Code Execution vulnerability
  • Drupal Remote Code Execution vulnerability (CVE-2018-7600)
  • Apache Solr Remote Code Execution vulnerability (CVE-2019-0193)

The growing prevalence of BuleHero

Researchers suggest that the BuleHero botnet authors are trying to integrate RDP scanning to exploit the recently discovered Bluekeep vulnerability. The vulnerability affects nearly one million systems across the globe. Hence, users are advised to patch their systems with specific security updates to stay safe from the attacks of BuleHero botnet.