Updated: Apr 30
// Research on a botnet community hosted and sold through discord
Hey Hackers! My name is at0m or atomiczsec. I am a security researcher for CosmodiumCS. Today I will be sharing our research on a botnet community that was selling this product through discord. Let's start!
// How is this botnet sold?:
It all starts from a discord named "Pain". Once we joined the server,''''''''''''' we saw advertisements for the botnet also named "Pain". The people who host these botnets like to keep their botnet IP hidden so that sites that track malware don't get their botnets reported or shut down. Our mission was to find the IP and expose it to these sites, but our team found way more than expected.
// Steps to Operation Pain:
1. Scroll through the server chats to see if we can find any information on these owners or botnet
We found 2 IP's that turned out to be slave servers for the botnet. The IP addresses are:
We can confirm these IP addresses are comprised by taking a look at their report on https://threatbook.io
As we can see the IP comes back as a "Zombie" of the botnet. We have learned that the way they get these zombie or slave servers is by exploiting default credentials on ports 22 or 23 which are SSH and Telnet.
2. Go into the voice chat where the seller was sharing their screen and get as much as information as we could.
Out of this voice chat we found the following:
Phone number of a reseller
Email address of the reseller
Name of the reseller
Botnet IP and port it is operating on
Proof of them using the botnet for malicious purposes
3. Try to find their exploits and find the login page to the botnet.
Now that we had the botnet IP, we ran an nmap scan on the IP to see if we could find open ports. Luckily for us we found two very important ports:
21 - FTP Server
1234 - Botnet Login Page
Let's start with the FTP server analysis. During our scan of the port nmap told us that this FTP had "Anonymous FTP login allowed" this means we will be able to login to the FTP server and download contents from it anonymously. So we logged in and BOOM all of the exploits were sitting there waiting for us to analyze them.
Once we had these files it was time to analyze them. So we can share IOCs (Indicators of Compromise) with the community as well as get a better understanding of what these exploits are doing.
The results can be found in these links here:
Next, lets take a look at the botnet login page. It is a pretty simple login page and we did not attempt to further exploit this page as we were just researching the malware and concept behind it. Here is a screenshot of the login page:
4. IOCs (Indicators Of Compromise):
MD5 = 3463c78812a6ec624e14956d6d00130c MD5 = 385bb9bdbd9ca5b173a21556829271af MD5 = d37d4b6d2c6bd8f128e846ec3f05047a MD5 = 46ee8b5d1b567628dd0ff9337e674668 URL = ww1[.]dayzddos[.]co
5. Proof of malicious activity:
6. Shutting down the botnet:
There we go, offline ;)
Thanks for reading, and as always, Happy Hacking!
© 2022 by Cosmodium CyberSecurity LLC