Executive Summary
The Hide ‘N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits – CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.
While the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined below, shows that the Hide N’ Seek botnet incorporated this exploit back in February 2019, even before the DDG botnet.
Technical Analysis
This newest version of the Hide ‘N Seek malware incorporates many of the previously seen features of the malware family including the persistence, the incorporation of exploits, and targeting Android devices via ADB.
In addition to exploits previously used by the malware family, this particular version is unique for its use of the following two new exploits:
CVE-2019-7238, which is a RCE vulnerability in Sonatype Nexus Repository Manager installa ..
Support the originator by clicking the read the rest link below.
