When we conducted a geolocation of the IP addresses on the botnet, we found that U.S. 1 Most of the victims are hosted on cloud services such as Amazon Web Services (AWS) and DigitalOcean, and about a third are hosted on Linode. For example, last year a different IRC botnet was reported with more than 1,400 bots. This prevented us from pretending to be admins and controlling the bots.ĭuring our research, the botnet peaked at around 350 bots, which is a relatively small size botnet. In the first versions of the malware the channel used was called “#idiot,” revealing the actor’s feelings toward the victims.Įach bot connecting to the server is given a nickname with a “TuYuL” prefix and a random string.Īfter a few days of monitoring the channel, the bot master noticed our activity and registered the nicknames of the admins and white-listed the IRC clients allowed to join the network. The infected server connects to the attacker’s IRC server and joins the configured channel. Some individual bots were spotted spreading the Tuyul malware, but we did not detect a mass activation of the botnet. While monitoring the botnet, we did not notice any activity involving these bots besides maintenance. Unlike previous well-known IRC bots, where commands had more specific descriptions such as DDoS or crypto mining capabilities, Tuyul bot has only general-purpose commands. terminate, suicide: Kills the bot’s connection.įrom the list of commands in the script, it is difficult to determine the intentions of the bot master.update: Downloads and installs a newer version of the malware.noob: Demotes the bot from “pro” status.Allowing the bot to execute commands on other bots. pro: Promotes a bot to a higher privilege.Despite these different versions, the following core functionalities remained the same: While monitoring the campaign, we collected four different versions of the malware source code. If it is unsuccessful, it then tries to download an uncompiled version of the file and execute it using Perl. The dropper instructs the server to download a compiled Perl binary and execute it on the system. The first stage of the infection instructs the server to download a Bash script dropper (see Figure 11). 3 Developing a malicious script in 2020 in Perl makes this threat actor’s choice interesting. Because it can be used to create powerful and dense programs, there are still many Perl users around the globe. Perl is still used due to its low entry barrier and is a common language for script kiddies to learn. As noted in the Key Findings, many IRC botnets are now created with Python. But since 2005, 2 Perl has been on the decline in favor of Python for IRC bots and general programming. 1 The DDoS Perl IRCBot script written in 2012 is still one of the most common IRC malware scripts in use today. Since Perl is easier than lower-level languages such as C, it attracted many script kiddies. In the past, Perl was a popular language for writing attack tools. The malware is written in Perl, and this makes it worth thinking about. The second infection method connects the victim’s server to an IRC botnet. Method #2: Gaining Access via an IRC Botnet It specifically exploits CVE-2017-9841, which enables the attacker to inject arbitrary PHP code on the server. The malware specifically searches for unpatched instances of PHPUnit, a unit testing framework for the PHP programming language. The threat actor uses an uncommon vulnerability for taking over the victim’s server. F5 researchers will remain engaged with this botnet and will report on any future findings.įirst, we discuss some details of the malware itself and then the composition of the attacker’s network. We continue to see this bot being actively worked on and we expect it to continue to grow.For details, see the Possible Attribution section of this article. We came to this assessment based on several clues, including the time zone, the botnet name, the admin nicknames used, and the repository server, among others. There is probable Indonesian attribution for this botnet.This is not typical of what we usually see-oftentimes IRC bots are written in PHP or Python. Bots are written in a variety of programming languages, depending on their function.The peak size we observed had 366 victim systems in the IRC channel. This is notably smaller than other botnets, which can range from around 1,400 infected systems to upwards of 40,000 active systems in use per day. At the last check in mid-February, it was composed of around 350 target systems. The bot, called Tuyul, created a botnet smaller than many we’ve tracked in the past. On January 15, 2020, F5 threat researchers detected a new campaign targeting vulnerable PHPUnit systems (CVE-2017-9841) that tries to install an Internet Relay Chat (IRC) bot.
0 Comments
Leave a Reply. |