From cryptomining to DDoS attacks, botnet threats can show up on your devices in many ways. Researchers have shared their findings on how threat actors are exploiting multiple flaws and taking advantage of weak remote login passwords to prepare your device for a bigger crime. In this piece, we will also take a look at other looming botnet threats.
What was found?
A new variant of the Gafgyt botnet that uses the Tor network to target vulnerable D-Link and IoT devices have been identified by NetLab 360 researchers.
The new variant dubbed Gafgyt_tor—whose core function is still DDoS attacks and scanning—appears to be the handiwork of the keksec group, aka the Freak threat actor.
To evade detection, this version uses Tor to hide its C2 communications and encrypts sensitive strings in samples.
How does it work?
The botnet either propagates through weak Telnet passwords or exploits three known vulnerabilities: an RCE flaw in D-Link devices; an RCE vulnerability in Liferay enterprise portal software (no CVE is available for this); and a flaw (CVE-2019-19781) in Citrix ADC.
Experts noted that the code structure of Gafgyt_tor’s main function is largely inconsistent. Within that, there’s a big section of code for the tor_socket_init function that can build a list of over 100 Tor proxies.
Lastly, new samples choose a node from the list to enable Tor communication.
Recent botnet activities
One wrong click and your systems can become a part of a larger botnet operation that typically operates without obvious visible evidence and can remain operational for years. Here’s how the botnet landscape has been shaping lately.
A new Android botnet malware, dubbed rising unpredictable cases botnet threats
