// Research on a botnet community hosted and sold through discord
Hey Hackers! My name is at0m or atomiczsec. I am a security researcher for CosmodiumCS. Today I will be sharing our research on a botnet community that was selling this product through discord. Let's start!
// How is this botnet sold?:
It all starts from a discord named "Pain". Once we joined the server,''''''''''''' we saw advertisements for the botnet also named "Pain". The people who host these botnets like to keep their botnet IP hidden so that sites that track malware don't get their botnets reported or shut down. Our mission was to find the IP and expose it to these sites, but our team found way more than expected.
// Steps to Operation Pain:
1. Scroll through the server chats to see if we can find any information on these owners or botnet
administrators.
We found 2 IP's that turned out to be slave servers for the botnet. The IP addresses are:
136.175.29.53
178.214.181.11
We can confirm these IP addresses are comprised by taking a look at their report on https://threatbook.io
As we can see the IP comes back as a "Zombie" of the botnet. We have learned that the way they get these zombie or slave servers is by exploiting default credentials on ports 22 or 23 which are SSH and Telnet.
2. Go into the voice chat where the seller was sharing their screen and get as much as information as we could.
Out of this voice chat we found the following:
Phone number of a reseller
Email address of the reseller
Name of the reseller
Botnet IP and port it is operating on
Proof of them using the botnet for malicious purposes
3. Try to find their exploits and find the login page to the botnet.
Now that we had the botnet IP, we ran an nmap scan on the IP to see if we could find open ports. Luckily for us we found two very important ports:
21 - FTP Server
1234 - Botnet Login Page
Let's start with the FTP server analysis. During our scan of the port nmap told us that this FTP had "Anonymous FTP login allowed" this means we will be able to login to the FTP server and download contents from it anonymously. So we logged in and BOOM all of the exploits were sitting there waiting for us to analyze them.
Once we had these files it was time to analyze them. So we can share IOCs (Indicators of Compromise) with the community as well as get a better understanding of what these exploits are doing.
We used Threat Zone (threat.zone) and Virus Total (virustotal.com) to analyze these exploits here are the results and URLs for just some of the exploits them:
The results can be found in these links here:
https://www.virustotal.com/gui/file/dc2f933d97cb81d03652dab264aeea7c12a0c6557fe2ff5f3f479a99e9a96b44
https://www.virustotal.com/gui/file/36ccd545c1e0b9e32f3f83e5284fbdacbcd43f2070b3e2cd93b04ad07c98a11a
https://www.virustotal.com/gui/file/3a619de724f4c1c9fcfb7196215f0f3fb5411b77e97605038032d3328c90f7ce
Next, lets take a look at the botnet login page. It is a pretty simple login page and we did not attempt to further exploit this page as we were just researching the malware and concept behind it. Here is a screenshot of the login page:
4. IOCs (Indicators Of Compromise):
MD5 = 3463c78812a6ec624e14956d6d00130c
MD5 = 385bb9bdbd9ca5b173a21556829271af
MD5 = d37d4b6d2c6bd8f128e846ec3f05047a
MD5 = 46ee8b5d1b567628dd0ff9337e674668
URL = ww1[.]dayzddos[.]co
5. Proof of malicious activity:
6. Shutting down the botnet:
There we go, offline ;)
Thanks for reading, and as always, Happy Hacking!
// Socials:
© 2022 by Cosmodium CyberSecurity LLC
留言