From cryptomining to DDoS attacks, botnet threats can show up on your devices in many ways. Researchers have shared their findings on how threat actors are exploiting multiple flaws and taking advantage of weak remote login passwords to prepare your device for a bigger crime. In this piece, we will also take a look at other looming botnet threats.
What was found?
A new variant of the Gafgyt botnet that uses the Tor network to target vulnerable D-Link and IoT devices have been identified by NetLab 360 researchers.
The new variant dubbed Gafgyt_tor—whose core function is still DDoS attacks and scanning—appears to be the handiwork of the keksec group, aka the Freak threat actor.
To evade detection, this version uses Tor to hide its C2 communications and encrypts sensitive strings in samples.
How does it work?
The botnet either propagates through weak Telnet passwords or exploits three known vulnerabilities: an RCE flaw in D-Link devices; an RCE vulnerability in Liferay enterprise portal software (no CVE is available for this); and a flaw (CVE-2019-19781) in Citrix ADC.
Experts noted that the code structure of Gafgyt_tor’s main function is largely inconsistent. Within that, there’s a big section of code for the tor_socket_init function that can build a list of over 100 Tor proxies.
Lastly, new samples choose a node from the list to enable Tor communication.
Recent botnet activities
One wrong click and your systems can become a part of a larger botnet operation that typically operates without obvious visible evidence and can remain operational for years. Here’s how the botnet landscape has been shaping lately.
A new Android botnet malware, dubbed FluBot, found using an SMS load distribution mechanism to send SMS spam to victims’ contacts. It infected more than 60,000 devices within just two months.
Around the end of Feb, Akamai uncovered a long-running crypto-mining botnet campaign, wherein hackers exploit BTC blockchain transactions to deflect detection by the security systems in place.
Last month, experts at Kaspersky outlined a trend in which botnet operators were observed getting more involved in cryptomining than DDoS attacks.
Last year, a botnet called Hoaxcalls had emerged, as a variant of the Gafgyt family, abusing a vulnerability in Symantec Secure Web Gateways. Researchers opinionate that the actors behind Gafgyt will be making continuous development mostly by creating new variants of different botnets. However, the solution to such threats remains basic, including a timely patch for your devices and keeping a watch on your network communications.