Threat Research

Attacks Targeting Linux SSH Servers to Install SVF DDoS Bot

Ahnlab
Attacks Targeting Linux SSH Servers to Install SVF DDoS Bot

AhnLab Security Intelligence Center (ASEC) has identified attacks on poorly managed Linux servers using the SVF Botnet, a Python-based DDoS bot that communicates via Discord and employs multiple proxy servers. The malware facilitates various DDoS attack methods, including L7 HTTP Flood and L4 UDP Flood, and uses public proxy lists to enhance attack capability. #SVFBotnet #DiscordC2 #LinuxServers

Keypoints

  • ASEC detected attacks targeting Linux servers with weak SSH credentials to install the SVF Botnet malware.
  • SVF Botnet is developed in Python and uses Discord as its Command and Control (C2) server.
  • The bot supports multiple commands focused on DDoS attacks, including custom HTTP and UDP flood methods.
  • SVF Botnet retrieves and validates proxy addresses from multiple public proxy sources to use in L7 HTTP flood attacks.
  • The malware sends the infected server’s name via webhook and organizes bots into groups for targeted command execution.
  • An updated version of SVF Botnet may be distributed in the future, though the current download location is inactive.
  • Administrators are advised to secure their Linux servers with strong passwords, firewalls, latest patches, and updated antivirus solutions like AhnLab V3.

MITRE Techniques

  • [T1110] Brute Force – The attack exploits weak SSH credentials to gain unauthorized access to Linux servers (“the SSH service using weak credentials”).
  • [T1592] Gather Victim Network Information – SVF Botnet downloads proxy lists from public sources to facilitate attacks (“The malware first obtains a list of proxy addresses from the following 10 addresses”).
  • [T1071] Application Layer Protocol – The malware uses Discord as its Command and Control (C2) channel (“can authenticate with the Discord server using the following Bot Token and then operate according to the threat actor’s commands”).
  • [T1499] Endpoint Denial of Service – Bot commands support L7 HTTP Flood and L4 UDP Flood DDoS attacks (“Most of the supported commands are for DDoS attacks, with L7 HTTP Flood and L4 UDP Flood being the main types supported”).

Indicators of Compromise

  • [MD5 Hash] Malware file hash – cffe3fb6cb3e4b9b453c4147bdcd8c12
  • [URL] Malicious download sources – hxxp://146.59.239[.]144:55/ (used for downloading main.py), https://termbin[.]com/4ccx (used to download main.py script)
  • [IP Address] Malicious server IP – 185[.]254[.]75[.]44 (associated with attack activity)

Read more: https://asec.ahnlab.com/en/89083/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint