The Watch Commander’s Log is a series that provides a direct view into the threats Agio’s Managed Detection and Response (MDR) team handles for our clients. If you have questions about anything you read here, please feel free to reach out to us at firstname.lastname@example.org. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.
The MDR team has come across a botnet via an outbound SSH connection from one of our clients that is related to the LeetHozer botnet and has ties to an attacker that goes by vbrxmr.
LeetHozer takes cues from the well-known Mirai botnet by adopting the loading and reporting mechanisms but differs in its command and control and the encryption used.
The LeetHozer botnet uses port 9530 to telnet or SSH to the potential victim machine to compromise default passwords. After successful compromise, the botnet propagates by using the victim to scan the internet for other devices with port 9530 open, and then recycles its payload for default credential abuse across vulnerable devices.
After the malware has infected the host, it uses encrypted command and control channels to send commands and arguments to infected hosts. This botnet is used for large scale denial of service (DoS) attacks.
This is the raw log of the initial outbound connection to 18.104.22.168, the IP that was flagged by open source intelligence.
Below is the resolution of a web request over HTTPS toward this IP address. No content is displayed or is present other than the author’s ASCII art.
Open source intelligence from the Cisco Talos team shows that the IP in question has been listed on blacklists and has a poor reputation.
The IP has also been found in a Bitdefender article related to the Dark Nexus IoT botnet. This article states the attack uses the IP address to debug issues with command and control nodes.
A web crawl for the ASCII art verbiage has identified a potential Twitter account associated with the malware author.
This graph shows the relationship of files and sites for this IP address from the original incident. The loader and the responder portions of the botnet are displayed on the right. Sites associated with this IP may be other compromised hosts or propagation methods of this botnet.
IoT botnet attacks are an increasing threat in an increasingly unsecure internet. Attack surface increases daily as new devices with lax security are added to networks at home and in businesses environments. These types of attacks will continue to rise in popularity as the ability to conduct them and the value of botnets rise.
If you have questions about anything you read here, please feel free to reach out to us at email@example.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.