While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate devices and use them for running malicious code in the background. That’s where botnets come into play.
According to Spamhaus, the third quarter of 2021 has seen an 82% surge in the number of emerging botnet command & control servers. FastFlux technique has been mostly used by malicious operators to install backdoors for further malware updates and lateral movement.
Large botnets are notoriously hard to kill, with some of them operating for decades. Let’s take a look at the most dangerous of them that are still highly active at the beginning of 2022.
The botnet that used to be described as “world’s most dangerous malware,” is back again, after an official takedown earlier in 2021. The international law enforcement operation orchestrated a mass-uninstall of this malware, cleaning out all the infected computers across the world.
However, these measures stopped Emotet for only a few months. Even after the takedown of all its C&C centers, it recently emerged again, this time operating through another notorious botnet TrickBot.
Emotet sends its malicious malware strains to endpoint devices of presumably random users by email spam. Once downloaded, the code installs additional payloads.
Emotet started off as a banking Trojan but later expanded its influence. Infected devices constitute a Malware-as-a-Service infrastructure for cybercriminal groups, acting as proxy servers that forward the malicious traffic to the real backend. Multiple methods of maintaining persistence and evasion techniques make it difficult to detect this malware. One of the ways to ensure timely detection on an enterprise level is to power up security operation centers with SOC Prime’s Detection as Code Platform which provides the newest threat detection rules in real time.
Just like Emotet, TrickBot started off as a banking Trojan and later on grew into sophisticated modular malware capable of spreading follow-on ransomware, maintaining persistence, and conducting reconnaissance. The malware applies various distribution vectors in multi-purpose campaigns and ultimately, can take complete control over the infected devices. TrickBot is arguably more advanced than Emotet because it updates itself a few times a day and deletes itself once certain tasks are fulfilled.
The configuration of the latest TrickBot version allows attackers to decide what exactly they want to do once the Trojan gets into the target system. For example, they can go for credential harvesting to steal personal and financial data or collect other information like cookies and web history. Otherwise, it is possible for them to install ransomware payloads directly or manipulate web browsing sessions, connecting the infected devices to criminally controlled networks.
Despite the U.S. Department of Justice arresting one of the TrickBot coders Alla Witte, the malware family continues its operation, spreading across millions of computers globally.
The predecessor of Mēris, Mirai botnet appeared in 2016 and has been targeting enterprise-level hardware since then. In 2019, it grew into a network of several related botnets that were sometimes competing with each other. In fact, after the DDoS attack on DNS provider Dyn which took down Twitter, Spotify, and GitHub, Mirai grew to 63 malware variants.
The latest activity of Mirai includes exploiting six critical Azure OMIGOD vulnerabilities, even after the official patch release. The attackers used an Open Management Infrastructure (OMI) software agent to leverage remote code execution or elevate privileges on vulnerable Linux virtual machines running on Microsoft Azure. Thousands of Azure customers and millions of endpoints were estimated to be exposed to the risk of such attacks.
Vulnerabilities were also found in hardware devices like SonicWall, Netgear, and D-Link. Mirai was also found trying to take advantage of the unknown vulnerabilities in the internet-of-things (IoT) gadgets.
The ongoing massive migration to cloud-based environments is supported by large institutions maintaining numerous hardware servers at the backend, providing storage to smaller companies. The activity of botnets like Mirai represents a significant threat because upon shutting down cloud service providers, they can impact business operations on a global scale.
ZeroAccess is a distributed peer-to-peer (P2P) botnet that has been infecting tens of millions of computers since 2011 and operates primarily for the purpose of monetary gains. Some of the most frequently used methods include bitcoin mining, click fraud, information theft, and pay-per-install. ZeroAccess creates separate file systems for stolen credentials and applies rootkit techniques for stealthy communication.
A typical ZeroAccess attack starts by prompting a random user to visit an infected website. This could be executed by sending an email with a link, sharing a torrent file, or even by compromising legitimate sites and redirecting the traffic. Malicious websites hide PHP scripts that exploit security vulnerabilities of the software installed on a victim’s device (Adobe Acrobat, Internet Explorer, etc.). Once infected, the target system turns into a bot and starts the further exploitation of computational power for malicious purposes.
In 2021, the activity of this botnet surged 619,460%, and after that sank down. This is what ZeroAccess has been doing for years: after the massive bursts of activity usually come the periods of complete silence for months before appearing again. Such waves of activity could be explained by malware retooling or theming.
Botnets are nothing new to the cybersecurity community, nevertheless, some of them have been active for years and are still highly dangerous. Governments of countries like the US take measures in tackling these threats but they can help only for a few months, after which the malware rebounds again.
Large botnets require a lot of processing power for their operation, that’s why they are interested in taking over millions of devices of unsuspecting users. And once they do, it is possible for them to install ransomware, shut down the operation of critical infrastructures, steal money, and spy for confidential data. For organizations, it is crucial to conduct an enhanced set of measures to protect their networks of devices against these threats. To streamline their detection capabilities, they might use SOC Prime’s Detection as Code platform that has the latest content to detect the malicious activity caused by botnets described above, along with online translation tools like Uncoder.IO that supports instant content conversion into a variety of SIEM, EDR, and NTDR formats.
By Gary Bernstein
Gary has written for several publications over the last 20 years with his primary focus on technology. He has contributed to sites such as Forbes, Mashable, TechCrunch and several others.