en - 360 Netlab Blog - Network Security Research Lab at 360 (Page 3)

en

A collection of 111 posts

Multiple fiber routers are being compromised by botnets using 0-day

Author: Yanlong Ma, Genshen Ye, Lingming Tu, Ye Jin This is our 3rd IoT 0-day series article, in the past 30 days, we have already blogged about 2 groups targeting DrayTek CPE 0-day here [1], and Fbot botnet targeting Lilin DVR 0-day here [2]. Apparently while most botnets play catchup

DDG botnet, round X, is there an ending?

DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), we have many follow up blogs about this botnet after that,

Two zero days are Targeting DrayTek Broadband CPE Devices

Author: Yanlong Ma, Genshen Ye, Hongda Liu Background From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[1] Vigor enterprise routers and switch devices to conduct a series of attacks, including eavesdropping on device’s network traffic, running SSH

Icnanker, a Linux Trojan-Downloader Protected by SHC

Background On August 15, 2019, 360Netlab Threat Detecting System flagged an unknown ELF sample (5790dedae465994d179c63782e51bac1) which generated Elknot Botnet related network traffic. We manually took a look and noticed that it is a Trojan-Downloader which utilizes "SHC (Shell script compiler)" technique and propgrates through weak SSH credentials. The

Multiple botnets are spreading using LILIN DVR 0-day

Author：Yanlong Ma，Lingming Tu，Genshen Ye，Hongda Liu When we talk about DDos botnet, we tend to think the typical scenario, some mediocre, code-borrowing scripts target old vulnerabilities. But things actually have started to change, we noticed more and more attackers beginning to use 0-day vulnerabilities. Background Starting from

Mozi, Another Botnet Using DHT

Mozi Botnet relies on the DHT protocol to build a P2P network, and uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network. The sample spreads via Telnet with weak passwords and some known exploits

Dacls, the Dual platform RAT

Background On October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat monitoring system. At first glance, it seems to be just another one of the regular botnets, but we soon realized this is something with potential link to the Lazarus Group. At present, the industry

The awaiting Roboto Botnet

Background introduction On August 26, 2019, our 360Netlab Unknown Threat Detection System highlighted a suspicious ELF file (4cd7bcd0960a69500aa80f32762d72bc) and passed along to our researchers to take a closer look, upon further analysis, we determined it is a P2P bot program. Fast forwarded to October 11, 2019, our Anglerfish honeypot captured

The Botnet Cluster on the 185.244.25.0/24

In the past few years, we have seen quite a few botnets on the 185.244.25.0/24 netblock, how many? Readers can take a look at the following tag cloud, which represents the keywords used in some of the samples using IPs within this netblock as loader IPs.

Emptiness: A New Evolving Botnet

Background Our honeypot system captured a new DDoS botnet sample on 2019-06-23. We named it Emptiness which comes from the running process name as well as its C2 domain. Emptiness is written by Golang and supports both Windows and Linux. Our further analysis reveal its iterative evolution: the early version

Some Fiberhome routers are being utilized as SSH tunneling proxy nodes

Background introduction On July 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file with 0 VirusTotal detection. When we further looked into it, we realized it is a component of an IoT botnet targeting Fiberhome router. But it does not do the regular stuff such as DDos,

An Analysis of Godlua Backdoor

Background On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform DDoS function recently. The file itself

An Analysis of Linux.Ngioweb Botnet

Background On May 27, 2019, Our Unknown Threat Detect System highlighted a suspicious ELF file, and till this day, the detection rate on VT is still only one with a very generic name. We determined that this is a Proxy Botnet, and it is a Linux version variant of the

Ongoing Credit Card Data Leak [Continues]

Ongoing Credit Card Data Leak [Continues]

DNSMon is a network-wide DNS malicious domain analysis system we build here at 360Netlab. With the 10%+ total DNS traffic coverage in China, plus the other multi-dimensional security data and security analysis capabilities we have accumulated over the years, we can "see" what is happening in the whole

Ongoing Credit Card Data Leak

Our DNSMon flagged an abnormal domain name magento-analytics[.]com, been used to inject malicious JS script to various online shopping sites to steal the credit card owner/card number/expiration time/ CVV information.

SystemdMiner,when a botnet borrows another botnet’s infrastructure

Update(2019.4.26 17:30) About 3 hours after the release of this article, we found that the attacker took down the URL of some Payload downloads, the following URL has expired: aptgetgxqs3secda.onion.ly/systemd-cron.sh aptgetgxqs3secda.onion.pet/systemd-cron.sh aptgetgxqs3secda.onion.ly/systemd-login-ddg aptgetgxqs3secda.onion.pet/

The new developments Of the FBot

Update 2019.12.04: Recently we have received quite a few requests of comment about this blog. We feel it necessary to list following facts here: 1. Kenneth Crurrin Schuchman, with nicknames "Nexus" or "Nexus-Zeta", a 21 years old young man, has pleaded guilty on 2019.

Import 2022-11-30 11:16

Smoke Loader: The Admin Panel, the 3rd Party Patch, and few other things

Smoke Loader is a botnet software that is publicly available since 2011 on the black market. It is old but still active, just in the last six months we have seen more than 1,500 active samples. Although it has been repeatedly exposed by different security researchers in recent years,

BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers

This article was co-authored by Hui Wang and RootKiter. Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before. The interaction between the

70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS

note:We have informed various ISPs on the IoC list, and OVH, ORACLE, Google, Microsoft have taken down the related IPs and some others are working on it (Thanks!) Background introduction DNSchanger is not something new and was quite active years ago [1], we occasionally encountered one every once in

Fbot, A Satori Related Botnet Using Block-chain DNS System

Since 2018-09-13 11:30 UTC, a new botnet (we call it Fbot) popped up in our radar which really caught our attention. There are 3 interesting aspects about this new botnet: * First, so far the only purpose of this botnet looks to be just going after and removing another botnet

XMR CryptoCurrency

A New Mining Botnet Blends Its C2s into ngrok Service

Overview These days, it feels like new mining malwares are popping up almost daily and we have pretty much stopped blogging the regular ones so we don’t flood our readers’ feed. With that being said, one did have our attention recently. This botnet hides its C2s(Downloader and Reporter

7,500+ MikroTik Routers Are Forwarding Owners’ Traffic to the Attackers, How is Yours?

[Update] 2018-09-05 11:00 GMT+8, with the generous help from the AS64073, 103.193.137.211 has been promptly suspended and is no longer a threat. Overview MikroTik is a Latvian company founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for

Import 2022-11-30 11:16

Threat Alert: DDG 3013 is Out

DDG is a mining botnet mainly focusing on SSH, Redis databases and OrientDB database servers. We captured the first DDG botnet on October 25, 2017, and subsequently released several reports. A recent report was released in 2018-06, which reflected the newest version of DDG 3012 at that time. This morning,

Malicious Campaign luoxk Is Actively Exploiting CVE-2018-2893

Author: Zhang Zaifeng, yegenshen, RootKiter, JiaYu On July 18, in an officially released routine patch update, Oracle fixed CVE-2018-2893, an Oracle WebLogic Server remote code execution vulnerability. Three days later, at 2018-07-21 11:24:31 GMT+8, we noticed that a malicious campaign that we have been tracking for a