Aqua Nautilus researchers uncovered a new DDoS campaign named Panamorfi that uses a Java-based mineping package and is coordinated via Discord, with initial access gained through misconfigured Jupyter notebooks. The campaign performs a TCP flood DDoS and was blocked in real time by Aqua’s CNAPP Runtime Protection. #Panamorfi #yawixooo #mineping #JupyterNotebook #Discord #TCPFlood
Keypoints
- Campaign Name: Panamorfi
- Threat Actor: yawixooo
- Attack Vector: Misconfigured Jupyter notebooks
- Tools Used: Java-based mineping DDoS package (conn.jar and mineping.jar)
- Initial Access: Gained through an exposed Jupyter notebook honeypot
- Control/Coordination: Discord channel used to coordinate the attack
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Use of misconfigured Jupyter notebooks to gain access. Quote: [‘Use of misconfigured Jupyter notebooks to gain access.’]
- [T1203] Exploitation for Client Execution – Execution of Java Jar files downloaded from the internet. Quote: [‘Execution of Java Jar files downloaded from the internet.’]
- [T1071] Command and Control – Uses Discord for command and control of the DDoS attack. Quote: [‘Utilization of Discord for command and control of the DDoS attack.’]
- [T1499] Impact – DDoS attack to disrupt services. Quote: [‘Execution of a DDoS attack to disrupt services.’]
Indicators of Compromise
- [URL] Initial download URL – https://filebin.net/archive/h4fhifnlykw224h9/zip
- [MD5] File hash – 42989a405c8d7c9cb68c323ae9a9a318
- [File] Zip archive name – h4fhifnlykw224h9
- [File] conn.jar – The connector jar containing the initial execution code
- [File] mineping.jar – The mineping DDoS package
Read more: https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/