Matrix Unleashes A New Widespread DDoS Campaign

Summary:
Aqua Nautilus researchers have identified a significant Distributed Denial-of-Service (DDoS) campaign led by a threat actor known as Matrix, utilizing accessible tools and exploiting vulnerabilities in IoT and enterprise systems. The operation reveals a concerning trend where even individuals with minimal technical knowledge can execute large-scale cyberattacks. The findings emphasize the need for improved security practices to counteract these evolving threats.
#DDoSCampaign #MatrixThreatActor #IoTSecurity

Keypoints:

Matrix orchestrates a widespread DDoS campaign targeting vulnerabilities in IoT and enterprise systems.

The campaign showcases how accessible tools can enable large-scale cyberattacks.

Initial access is gained through brute-force attacks and exploitation of weak credentials.

Matrix’s operations indicate a shift towards targeting both development and production servers.

The threat actor appears to be financially motivated rather than politically driven.

Vulnerabilities in IoT devices remain a primary focus for DDoS botnets.

The campaign utilizes a variety of public scripts and tools, emphasizing the threat posed by script kiddies.

Matrix has developed a Telegram bot for selling DDoS services, indicating a business-driven approach.

MITRE Techniques:

Initial Access

Exploit Public-Facing Application (T1190): Exploits vulnerabilities in IoT devices, routers, and servers.

Valid Accounts (T1078): Uses brute-force attacks with precompiled username-password pairs.

Execution

Command and Scripting Interpreter – Python (T1059.006): Deploys Python scripts and Discord bots for command execution.

Persistence

Create or Modify System Process (T1543): Modifies processes on IoT devices for long-term control.

Implant Software (T1403): Installs botnet clients like Mirai and PYbot.

Defense Evasion

Disable or Modify Tools (T1211): Disables antivirus solutions like Windows Defender.

Masquerading (T1036): Uses legitimate-looking scripts to blend malicious activities.

Credentials Access

Brute Force (T1110): Executes brute-force attacks using curated dictionaries.

Discovery

Network Service Scanning (T1046): Identifies misconfigured or vulnerable devices.

Network Share Discovery (T1135): Identifies accessible shares for lateral movement.

Lateral Movement

Exploitation of Remote Services (T1210): Targets remote services like SSH and Telnet.

Remote Service Session Hijacking (T1550.002): Iterates over SSH keys for lateral movement.

Collection

Data from Local System (T1005): Collects sensitive data from compromised systems.

Command & Control

Web Service (T1102): Uses platforms like Telegram for botnet communication.

Encrypted Channel (T1041): Establishes secure communication using Discord bots.

Impact

Resource Hijacking (T1496): Conducts cryptomining operations.

Service Exhaustion Flood (T1499): Executes Layer 4 and Layer 7 DDoS attacks.

IoC:

[IP Address] 199[.232][.46][.132]

[IP Address] 5[.42][.78][.100]

[IP Address] 78[.138][.130][.114]

[IP Address] 85[.192][.37][.173]

[IP Address] 5[.181][.159][.78]

[IP Address] 217[.18][.63][.132]

[Domain] sponsored-ate.gl.at.ply.gg

[File Hash] MD5: df521f97af1591efff0be31a7fe8b925 (Mirai malware)

[File Hash] MD5: 9c9ea0b83a17a5f87a8fe3c1536aab2f (RiskWare/Win32.Kryptik.a)

[File Hash] MD5: 0e3a1683369ab94dc7d9c02adbed9d89 (Discord DDoS Botnet)

[File Hash] MD5: c7d7e861826a4fa7db2b92b27c36e5e2 (hacktool.sshscan/virtool)

[File Hash] MD5: 53721f2db3eb5d84ecd0e5755533793a (trojan.siggen/casdet)

[File Hash] MD5: d653fa6f1050ac276d8ded0919c25a6f (trojan.gafgyt/mirai)

[File Hash] MD5: 76975e8eb775332ce6d6ca9ef30de3de (trojan.ddosagent/ddos)

Full Research: https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign