en - 360 Netlab Blog - Network Security Research Lab at 360 (Page 2)

en

A collection of 111 posts

Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis

Background On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]。 We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already

Necro upgrades again, using Tor + dynamic domain DGA and aiming at both Windows & Linux

Overview Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar March 2nd, the BotMon system has detected that Necro has started spreading again, in

New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims

Overview In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came across a botnet uses honeypot to harvest other infected devices, which is quite interesting. From

Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities

Overview In recent months, with the huge rise of Bitcoin and Monroe, various mining botnet have kicked into high gear, and our BotMon system detects dozens of mining Botnet attacks pretty much every day, most of them are old families, some just changed their wallets or propagation methods, and z0Miner

QNAP NAS users, make sure you check your system

Background On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)[1], upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities. Due to

Gafgtyt_tor and Necro are on the move again

Overview Since February 15, 2021, 360Netlab's BotMon system has continuously detected a new variant of the Gafgyt family, which uses Tor for C2 communication to hide the real C2 and encrypts sensitive strings in the samples. This is the first time we found a Gafgyt variant using the

Fbot is now riding the traffic and transportation smart devices

Background Fbot, a botnet based on Mirai, has been very active ever sine we first blogged about it here[1][2], we have seen this botnet using multiple 0 days before(some of them we have not disclosed yet) and it has been targeting various IoT devices, now, it is

Rinfo Is Making A Comeback and Is Scanning and Mining in Full Speed

Overview In 2018 we blogged about a scanning&mining botnet family that uses ngrok.io to propagate samples: "A New Mining Botnet Blends Its C2s into ngrok Service ", and since mid-October 2020, our BotMon system started to see a new variant of this family that is active

DNSMon: using DNS data to produce threat intelligence (3)

Background This article is the third in our series of articles introducing DNSMon in the production of threat intelligence (Domain Name IoC). As a basic core protocol of the Internet, DNS protocol is one of the cornerstones for the normal operation of the Internet. DNSMon, which was born and raised

New Threat: Matryosh Botnet Is Spreading

Background On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirai's characteristics. This anomaly caught our attention, and after analysis, we determined that it was a new botnet that reused the Mirai framework, propagated through

Necro is going to version 3 and using PyInstaller and DGA

Overview. Necro is a classic family of botnet written in Python that was first discovered in 2015, at the beginning, it targeted Windows systems and often tagged by security vendors as Python.IRCBot and called N3Cr0m0rPh (Necromorph) by the author himself. Since January 1, 2021, 360Netlab's BoTMon system

Another LILIN DVR 0-day being used to spread Mirai

Author: Yanlong Ma, Genshen Ye Background Information In March, we reported[1] that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the vendor soon fixed the vulnerability. On August 26, 2020, our Anglerfish honeypot detected that another new LILIN DVR/

Import 2022-11-30 11:16

DNS data mining case study - skidmap

As the foundation and core protocol of the Internet, the DNS protocol carries data that, to a certain extent, reflects a good deal of the user behaviors, thus security analysis of DNS data can cover a decent amount of the malicious activities. In the early days, typical scenarios for early

Import 2022-11-30 11:16

Blackrota, a heavily obfuscated backdoor written in Go

The most obfuscated Go-developed ELF-formatted malware we've found to date. Overview Recently, a malicious backdoor program written in the Go language that exploits an unauthorized access vulnerability in the Docker Remote API was caught by the our Anglerfish honeypot. We named it Blackrota, given that its C2 domain

MooBot on the run using another 0 day targeting UNIX CCTV DVR

This report is jointly issued by CNCERT and Qihoo 360 Overview Moobot is a botnet we first reported in September 2019[1]. It has been pretty active since its appearance and we reported before it has the ability to exploit 0day vulnerabilities[2][3] . In Jun, we were able to

Quick update on the Linux.Ngioweb botnet, now it is going after IoT devices

Background On June 21, 2019, we published a blog about a Proxy Botnet, Linux.Ngioweb. On August 4, 2020, we captured a batch of ELF files with zero VT detection, which are variants of Ngioweb.And we just named it V2. Two weeks later, on August 16, we noticed that

HEH, a new IoT P2P Botnet going after weak telnet services

Overview Recently, 360Netlab threat detection system captured a batch of unknown samples. The CPU architectures supported by this batch of samples are broad, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC, it is spreading through brute force of the Telnet service on ports 23/2323, which

Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities

Author: Lingming Tu, Yanlong Ma, Genshen Ye Background introduction Starting from November 2019, 360Netlab Anglerfish system have successively monitored attacker using two Tenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT) based on Mirai code. The conventional Mirai variants normally focus on DDoS, but this variant is different.

Ghost in action: the Specter botnet

Background On August 20, 2020, 360Netlab Threat Detect System captured a suspicious ELF file (22523419f0404d628d02876e69458fbe.css)with 0 VT detection. When we took a close look, we see a new botnet that targets AVTECH IP Camera / NVR / DVR devices, and it has flexible configuration, highly modular / plugin, and uses TLS,

In the wild QNAP NAS attacks

Author:Yanlong Ma, Genshen Ye, Ye Jin From April 21, 2020, 360Netlab Anglerfish honeypot started to see a new QNAP NAS vulnerability being used to launch attack against QNAP NAS equipment. We noticed that this vulnerability has not been announced on the Internet, and the attacker is cautious in the

The new Bigviktor Botnet is Targeting DrayTek Vigor Router

Overview On June 17, 2020, 360Netlab Threat Detecting System flagged an interesting ELF sample (dd7c9d99d8f7b9975c29c803abdf1c33), further analysis shows that this is a DDos Bot program that propagates through the CVE-2020-8515 vulnerability which targets the DrayTek Vigor router device, and it uses DGA (Domain generation algorithm) to generate C2 domain names.

An Update for a Very Active DDos Botnet: Moobot

Moobot is a mirai based botnet. Spread through weak telnet passwords and some nday and 0day vulnerabilities.

Import 2022-11-30 11:16

The Gafgyt variant vbot seen in its 31 campaigns

Overview Gafgyt botnets have a long history of infecting Linux devices to launch DDoS attacks. While dozens of variants have been detected, new variants are constantly emerging with changes in terms of register message, exploits, and attacking methods. On the other hand, their new botnets are usually short lived, with

Import 2022-11-30 11:16

New activity of DoubleGuns Group, control hundreds of thousands of bots via public cloud service

Overview Recently, our DNS data based threat monitoning system DNSmon flagged a suspicious domain pro.csocools.com. The system estimates the scale of infection may well above hundreds of thousands of users. By analyzing the related samples and C2s, We traced its family back to the ShuangQiang(double gun) campaign,

The LeetHozer botnet

Background On March 26, 2020, we captured a suspicious sample11c1be44041a8e8ba05be9df336f9231. Although the samples have the word mirai in their names and most antivirus engines identified it as Mirai, its network traffic is totally new,which had got our attention. The sample borrowed some of Mirai’s Reporter and Loader mechanism,