When a Botnet Cries: Detecting Botnet Infection Chains

These cookies are used to collect information about how you interact with our website and allow us to remember you.
We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media.
If you decline, your information won't be tracked when you visit this website.
A single cookie will be used in your browser to remember your preference not to be tracked.
Infection chains used by commodity malware are constantly evolving and use various tricks to bypass security measures and/or user awareness.
BumbleBee, QNAPWorm, IcedID and Qakbot are all often used as first-stage malicious code, allowing other more specific payloads to be dropped.
An overview of the infection chains and common detection methods used against them, an outline of how generic detection rules on these infection chains can help in the fight against botnets, and finally a look at how threat intelligence at scale, combined with the rest, creates a solid defence.
First, we provide our analysis of the evolution in the infection chains of a few of the most common botnets seen in 2022 and early 2023.
Our study shows how quickly their techniques evolve.
It also cover some detection use cases for these techniques to show how pointless it can be to build overly specific detection rules for these types of threats.
Secondly, we dig into the creation of more generic rules against known infection chains to detect future threats.
We show how these rules can be relevant and more effective than classic detection rules, which are focused on one technique inside an infection chain.
These generic rules are based on Sigma correlation, which allows the use of multiple Sigma rules, which will be triggered depending on different criteria, such as time range.
Finally, and as an opening to further discussions, we detail our own threat intelligence and detection pipeline which, thanks to command-and-control server tracking, samples configuration extraction and detonation, allows testing detection rules for non regression, all in a common workflow.

This Cyber News was published on blog.sekoia.io. Publication date: Wed, 06 Dec 2023 18:43:05 +0000

Cyber News related to When a Botnet Cries: Detecting Botnet Infection Chains

When a Botnet Cries: Detecting Botnet Infection Chains - These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors ...
7 months ago Blog.sekoia.io

Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
6 months ago Bleepingcomputer.com

"Largest Botnet Ever" Disrupted. 911 S5's Alleged Mastermind Arrested - A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation. 35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is ...
1 month ago Tripwire.com

Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
4 months ago Securityboulevard.com

Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested - The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested. The Treasury Department earlier this week announced sanctions against ...
1 month ago Packetstormsecurity.com

US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon - The US government on Wednesday announced a major takedown of a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel. The disruption comes ...
5 months ago Securityweek.com

New botnet malware exploits two zero-days to infect NVRs and routers - A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution vulnerabilities to infect routers and video recorder devices. The malware hijacks the devices to make them part of its DDoS swarm, ...
7 months ago Bleepingcomputer.com

Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
6 months ago Darkreading.com

Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
4 months ago Go.theregister.com

Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
6 months ago Securityweek.com

RUBYCARP hackers linked to 10-year-old cryptomining botnet - A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain. According to a new report by Sysdig, RUBYCARP currently operates a ...
2 months ago Bleepingcomputer.com

Russian admits building now-dismantled IPStorm proxy botnet The Register - The FBI says it has dismantled another botnet after collaring its operator, who admitted hijacking tens of thousands of machines around the world to create his network of obedient nodes. Sergei Makinin, a Russian and Moldovan national, was cuffed in ...
7 months ago Theregister.com

Bigpanzi botnet infects 170,000 Android TV boxes with malware - A previously unknown cybercrime syndicate named 'Bigpanzi' has been making significant money by infecting Android TV and eCos set-top boxes worldwide since at least 2015. Beijing-based Qianxin Xlabs reports that the threat group controls a ...
5 months ago Bleepingcomputer.com

PurpleFox malware infected thousands of systems in Ukraine - The Computer Emergency Response Team in Ukraine is warning about a PurpleFox malware campaign that has infected at least 2,000 computers in the country. The exact impact of this widespread infection and whether it has affected state organizations or ...
5 months ago Bleepingcomputer.com

PurpleFox malware infects thousands of computers in Ukraine - The Computer Emergency Response Team in Ukraine is warning about a PurpleFox malware campaign that has infected at least 2,000 computers in the country. The exact impact of this widespread infection and whether it has affected state organizations or ...
5 months ago Bleepingcomputer.com

The Role of Zero-Knowledge Proofs in LLM Chains - In today's digital age, data privacy has become a paramount concern for individuals and organizations alike. With the increasing amount of personal and sensitive information being stored and transmitted online, there is a growing need for robust ...
5 months ago Feeds.dzone.com

MySQL servers targeted by 'Ddostf' DDoS-as-a-Service botnet - MySQL servers are being targeted by the 'Ddostf' malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. This campaign was discovered by researchers at the AhnLab Security Emergency Response ...
7 months ago Bleepingcomputer.com

Stealthier version of P2Pinfect malware targets MIPS devices - The latest variants of the P2Pinfect botnet are now focusing on infecting devices with 32-bit MIPS processors, such as routers and IoT devices. Due to their efficiency and compact design, MIPS chips are prevalent in embedded systems like routers, ...
7 months ago Bleepingcomputer.com

FBI disrupts Moobot botnet used by Russian military hackers - The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies. This network of hundreds of ...
4 months ago Bleepingcomputer.com

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
5 months ago Feeds.dzone.com

Checkmarx Report Surfaces Software Supply Chain Compromises - Checkmarx published an inaugural monthly report this week that finds 56% of the attacks against software supply chains that it analyzed resulted in the theft of credentials and confidential data. More than a quarter of attacks employed some form of ...
4 months ago Securityboulevard.com

iShutdown scripts can help detect iOS spyware on your iPhone - Security researchers found that infections with high-profile spyware Pegasus, Reign, and Predator could be discovered on compromised Apple mobile devices by checking Shutdown. Kaspersky released Python scripts to help automate the process of ...
5 months ago Bleepingcomputer.com

Kaspersky Details Method for Detecting Spyware in iOS - Researchers with cybersecurity firm Kaspersky are detailing a lightweight method for detecting the presence of spyware, including The NSO Group's notorious Pegasus software, in Apple iOS devices. The new method, which calls for looking for traces of ...
5 months ago Securityboulevard.com

Explore How Emojideploy Botnet Exploited Microsoft Azure for Remote Code Execution - As cloud computing gains more popularity among businesses, the threat of cyber-attack surfaces to the fore. Microsoft Azure is not immune to security issues, as the recent exploit involving Emojideploy Botnet demonstrates. In this article, we will ...
1 year ago Securityaffairs.com

Latest Cyber News

CVE-2024-6229 - 6 hours ago
CVE-2024-40614 - 7 hours ago
CVE-2024-40605 - 22 hours ago
CVE-2024-40604 - 22 hours ago
CVE-2024-40603 - 22 hours ago
CVE-2024-40602 - 22 hours ago
CVE-2024-40601 - 22 hours ago
CVE-2024-40600 - 22 hours ago
CVE-2024-40599 - 22 hours ago
CVE-2024-40598 - 22 hours ago
CVE-2024-40596 - 22 hours ago
CVE-2024-40597 - 22 hours ago
CVE-2024-6095 - 1 day ago
CVE-2024-37554 - 1 day ago
CVE-2024-37553 - 1 day ago
CVE-2024-37547 - 1 day ago
CVE-2024-37546 - 1 day ago
CVE-2024-37542 - 1 day ago
CVE-2024-37541 - 1 day ago
CVE-2024-37539 - 1 day ago

Cyber Trends (last 7 days)

Okta - 7 months ago
23andMe - 7 months ago
Kimsuky - 7 months ago
LogoFAIL - 7 months ago
Gh0st rat - 7 months ago

Trending Cyber News (last 7 days)

CVE-2024-6229 - 6 hours ago
CVE-2024-40614 - 7 hours ago
CVE-2024-40605 - 22 hours ago
CVE-2024-40604 - 22 hours ago
CVE-2024-40603 - 22 hours ago
CVE-2024-40602 - 22 hours ago
CVE-2024-40601 - 22 hours ago
CVE-2024-40600 - 22 hours ago
CVE-2024-40599 - 22 hours ago
CVE-2024-40598 - 22 hours ago
CVE-2024-40596 - 22 hours ago
CVE-2024-40597 - 22 hours ago
CVE-2024-6095 - 1 day ago
CVE-2024-37553 - 1 day ago
CVE-2024-37554 - 1 day ago
CVE-2024-37547 - 1 day ago
CVE-2024-37546 - 1 day ago
CVE-2024-37542 - 1 day ago
CVE-2024-37541 - 1 day ago
CVE-2024-37539 - 1 day ago