A major botnet operation related to Neutrino has been found to be active for more than a year. The botnet is hijacking web shells of other malware operations to install a cryptocurrency-mining malware.
What’s the matter?
Discovered by Positive Technologies, this new phase of the Neutrino gang’s operation started in early 2018 when the hackers began searching for random IP addresses, particularly for locating web apps and servers. The operators of the botnet appear to have shifted from targeting desktop users to online servers to spread cryptomining malware.
For this purpose, Neutrino has been searching the web for 159 different types of PHP web shells and two JSP (Java Server Pages). This compiled list of web shells is then brute-forced in an attempt to compromise servers.
Attackers can leverage the Web Shells to plant backdoor scripts on servers they compromise. The purpose is to maintain persistent access to enable malicious tasks remotely.
What is the impact?
Based on the company’s investigation, the botnet has been quite successful in infecting Windows servers running phpStudy, an integrated learning environment popular primarily among Chinese developers.
However, other types of servers were also compromised such as those running phpMYAdmin apps.