Nerom: someone will pay you a visit tomorrow Nerom: You attacking the server without protection Nerom: I’ll get to the police department today In the couple minutes angry admin contacts me Well, I’ve decided to “charge” their forum for 1-2 hours, just to test. Tried to contact someone in chat – no response, tried to contact admin guy “Nerom” – no response either. So, I’ve decided to bring up my old thread today and found out that it was deleted without any notification. The Google translation of the thread wasn’t great, but a colleague fluent in Russian provided helpful translations of some of the more interesting parts: On NovemForceful started a forum thread (including ICQ instant messaging logs) complaining that another forum () had unfairly deleted their DDoS advertisement: While a self identified DDoS threat actor posting an MD5 hash of a known DDoS malware feels like a solid link between a DDoS-as-a-service advertisement and a DDoS botnet a second OPSEC mistake by the threat actor has helped strengthen their association with kypitestru. The first attack we logged for this botnet was on Jand there’s been steady activity since:Īt the time of this writing, attacks have been observed on 108 unique target hosts/IPs in the following countries:Īttacks can be categorized into the following types: SHA1: 4fab28b1bbce94f077861ca2d9d8299b005fa961 (SHA1)ĪSERT keeps tabs on DDoS botnets and their attack activity with our BladeRunnerbotnet monitoring system and kypitestru is no exception.Visiting the bot’s C2 panel confirms this suspicion: The HTTP request exhibits telltale signs of the G-Bot DDoS bot. This malware’s C2 domain is “kypitestru” and its phone home looks like:
.png "online ddos booter")
Once released, it was picked up by ASERT’s malware zoo and others. d361e3ddfc4e6f03ed7bad5586934854478708a5 (SHA1)įorceful’s mistake was that instead of deleting the test executable, it was distributed into the wild.At the bottom of the screenshot, it lists the following hashes of the crypted executable: As with the other participants in the thread, Forceful posted a screenshot of the results of a virus scanning service to test how effective the crypter was on a malware sample. The actor was participating in a forum discussion about a crypter–a tool used to encrypt/obfuscate malware executables to help evade antivirus detection and hinder analysis. These mistakes come in a number of flavors and this was one of Forceful’s: Making the jump from ad to botnet usually requires the threat actor making a public operational security (OPSEC) mistake. What these ads usually don’t contain, however, are the command and control (C2) details of their botnets used to carry out the purchased DDoS attacks.
0 kommentar(er)
