A new botnet, identified as Simps, has been discovered and linked to the Keksec group that is focused on DDoS activities. The botnet’s binary is observed to be using Mirai and Gafgyt modules for DDoS functionality.
What has happened?
Recently, a research team from Uptycs discovered a shell script and Gafgyt malware downloading Simps binaries from C2 23[.]95[.]80[.]200 server.
- As per the research, the botnet is believed to be in the early stages of development because of the existence of the infected[.]log file after execution.
- The botnet binaries are downloaded via a shell script and RCE vulnerability exploits were used by the Gafgyt malware family.
- The authors behind this botnet have a Discord server and YouTube channel for its demonstration. The YouTube channel and historical data confirm that Simps has been active since April.
- Discord server discussions and threat intel info revealed a possible connection to the Keksec group (aka Kek Security). It operates HybridMQ-keksec, a botnet created with trojan programs.
Exploitation of RCE vulnerabilities
Simps botnet uses Gafgyt modules, a malware family that uses existing vulnerabilities in IoT devices to turn them into bots, to perform DDoS attacks on specific IP addresses.
- Simps payloads were found to be delivered by exploiting various RCE vulnerabilities (such as CVE-2017-17215 and CVE-2018-10561) in vulnerable IoT devices.
- Both these exploits downloaded a Simps MIPS UPX packed binary, for MIPS architecture, which shows a message that the device has been infected by Simps botnet.
Conclusion
Simps botnet indicates how malware authors are actively reusing leaked malware source code to shape their attacks. Thus, organizations are recommended to frequently monitor their networks for suspicious events, traffic, and processes spawned by the execution of any malicious binary.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/4875_shutterstock_210940927_1.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_401429983_1.jpg)
