Botnet cannibalizes other shells more than a year

A botnet has been attacking and gaining access to other web shells (backdoors on web servers) for more than a year, security researchers at Positive Technologies have revealed today.

The researchers linked the botnet to an old trojan named Neutrino (also known as Kasidet), whose operators appear to have shifted their targeting from user desktops to web servers, on which they install a encryption.

botnet

Positive Technologies researchers report that this new phase The Neutrino gang's exploits began in early 2018, when the group managed to develop a multi-functional botnet that scanned random IP addresses on the internet looking for specific applications and servers it could infect.

To compromise the other servers, the Neutrino botnet uses various techniques, such as using exploits for old and new vulnerabilities, vulnerabilities in phpMyAdmin servers or that do not have any access, but also brute-force attacks on root accounts in phpMyAdmin, Tomcat and MS-SQL systems.

Researchers also report that Neutrino does strange things that aren't seen in many other botnets. For example, this particular Neutrino searches for Ethereum nodes that work with default passwords, connects to these systems, and steals locally stored files.

Neutrino as mentioned in the title also focuses on hacking web shells.

Web shells are backdoors used by hackers to perform operations on a compromised machine. They have a web-based interface from which hackers can log in and issue commands through their browser, or a custom programmed environment in which they send automated commands.

According to Positive Technologies researchers, Neutrino searches the web for 159 different types of PHP web shells and two JSPs (Java Server Pages).

The botnet creates a list of web shells and then launches brute-force attacks to guess login credentials and gain access.

Regarding Neutrino's success, Positive Technologies reports that the botnet was one of the top three senders of queries in that they were using.

Based on the company's research, the botnet has proven to be quite successful in Windows servers with phpStudy, a comprehensive learning environment popular mainly among Chinese developers.

However, it also attacks phpMyAdmin servers.

“To protect servers from Neutrino infection, we recommend that administrators check the root password of phpMyAdmin,” says Kirill Shipulin, security researcher at Positive Technologies.

“Make sure your services are up to date and install the latest updates. Remember that Neutrino is regularly updated with new exploits. ”

Technical details on the Neutrino modus operandi can be found at Publication by Positive Technologies.

_______________________

.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).