Over the last few days, Imperva researchers have monitored the emergence of a new botnet, one whose primary activity is performing different DDoS attacks and mining cryptocurrency. It also acts as a worm trying to extend its reach by scanning specific subnets and ports and using different remote code execution (CVE) vulnerabilities in an effort to infect them.
This particular botnet attack is unique given its rapid exploitation of the latest web vulnerabilities as a way to extend its reach and size.
The first recorded attack attempt took place on January 8. Since then, we’ve seen hundreds of attacks from many different IPs.
The captured attacks seem to take advantage of some of the most recently published RCE vulnerabilities. For example:
A deserialization vulnerability in Zend Framework (known as CVE-2021-3007) that was published only 4 days before the first incident!
A TerraMaster unauthenticated command-execution vulnerability (known as CVE-2020-35665)
The deserialization of Untrusted Data in Liferay Portal (known as CVE-2020-7961)
How does the botnet spread?
One of the attack vectors that has been captured is the TerraMaster unauthenticated command-execution vulnerability (CVE-2020-35665), first published in late December 2020. We’ve monitored exploits attempts since it was published, expecting to see an increase in the amount of attack attempts of this kind weeks after discovery. But, we noticed the numbers have grown significantly as of January 8, even more than expected.
In this case, the tool tries to access a specific URL using the “Event” parameter. The vulnerability allows the attacker to pipe a bash command that downloads and runs a Python malware from hXXp://gxbrowser[.]net[/]out[.]py.
Python Malware Drilldown
The malware itself is highly obfuscated and contains, as mentioned, different kinds of capabilities: scanning, botnet attacks, C&C communication and spreading to new targets.
First, we can see that this tool has scanning ability in ports 80, 443, 8443 and 8080:
In addition, the tool uses various User-Agent for the scanning and generating HTTP requests.
In addition, we can see the C&C IRC-based communication with the server (gxbrowser.net:6667).
All of the C&C commands are listed below. They contain different commands to perform reconnaissance, different types of network floods, network amplification, shell/reverse shell, stop/start process and connection commands.
When you look closely at the code, you can see indications of various flood attack capabilities such as UDPflood, SYNflood, TCPflood, HTTPflood and Slowloris.
You can see this illustrated in the code below:
Besides the flood capabilities, the malware also has crypto-miner capabilities. As shown in the figure below, the malware exploits the new Zend Framework vulnerability (CVE-2021-3007) to run XMRig, a crypto-mining tool that uses the attacked machine resources to mine digital currency.
The malware also tries to get a persistent foothold by adding the Python script inside with boot.py to the rc.local file, so it can run after reboot.
Imperva Research Labs has discovered more than 100 attack attempts on our customers. However, we believe the attack surface for this particular threat is much bigger than we’d usually see. Rough estimation based on public facing servers shows more than 10,000 potential victims.
This is a very interesting and unique case of a complex botnet attack that quickly exploits the latest published vulnerabilities. It requires us, as part of the security community, to act faster than ever before.
Imperva Customers Protected
Imperva Web Application Firewall (WAF) customers were protected from this attack due to our RCE detection rules, although the attack vector is new and exploits the latest vulnerabilities.