Threat Research

Exploring a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates | Hunt.io

Securonix

An exposed server was found hosting DDoS tooling (ddos.py and installation scripts referencing ZxCDDoS), SpyNote-related APKs with hardcoded C2s, multiple cryptocurrency phishing pages, and ransom-note web pages. The artefacts include observable IOCs such as 142.93.113[.]245:7771 and several SHA-256 hashes useful for triage. #SpyNote #ZxCDDoS

Keypoints

  • Open server contained DDoS tools: a Python script (ddos.py) targeting aisrael[.]org and a ddos.txt with Bash commands to deploy ZxCDDoS.
  • ddos.py sends repeated HTTP requests using the requests library and spawns many threads to overwhelm the target.
  • ddos.txt automates dependency installation (git, golang, python, nodejs), clones ZxCDDoS, and runs its c2.py to initiate attacks.
  • Multiple APKs (Chrome.apk, Telegram(3).apk, rn.apk) were present; Chrome.apk and Telegram(3).apk exhibited SpyNote behavior and used a DigitalOcean-hosted C2 (142.93.113[.]245:7771:7771).
  • Phishing HTML pages impersonated Binance, Coinbase, Kraken, and WeChat and referenced EagleSpy RAT for credential harvesting and remote control.
  • Ransomware-themed pages (crypto.html, ransomware.html) contained ransom text and a misformatted wallet address and threatened data exposure for payment.
  • Network and file observables (IP addresses, ports, SHA-256 hashes, filenames) are listed for incident response and blocking.

MITRE Techniques

  • [T1071] Initial Access (Application Layer Protocol) – Phishing pages used to collect credentials and initiate access. [‘Phishing: Use of phishing pages to steal credentials.’]
  • [T1203] Execution (Exploitation for Client Execution) – Attackers executed DDoS scripts and invoked downloaded tooling to run attacks. [‘Execution of DDoS scripts and malware via compromised applications.’]
  • [T1136] Persistence (Create Account / Maintain Access) – Malicious APKs were used to maintain access on compromised devices. [‘Use of malicious apps to maintain access to compromised devices.’]
  • [T1081] Credential Access (Credentials in Files) – Credentials and unlock patterns were harvested via phishing pages and malicious apps. [‘Stealing credentials through phishing pages and malicious apps.’]
  • [T1041] Exfiltration (Exfiltration Over C2 Channel) – Stolen data and credentials were sent to external C2 infrastructure. [‘Sending stolen data to external servers via command and control (C2) channels.’]
  • [T1486] Impact (Data Encrypted for Impact / Ransomware) – Ransom-note pages indicate intent to extort victims and possibly deploy ransomware. [‘Ransomware delivery indicated by ransom notes demanding payment.’]

Indicators of Compromise

  • [IP Address] C2 and hosting – 142.93.113[.]245:7771 (C2 for Chrome.apk), 137.184.53.152:443 (open directory hosting files)
  • [File Hash] malware and artefacts – 98d8e7539a94c278b1ba4a537953e74d03483f88ecb06f5c78038933d8e4b1d3 (Chrome.apk), 6613f6fcc52a2027e822f32f73d94a32b098eaf686dc059ed79fbe35f1afd35f (ddos.py), and 6 more hashes
  • [Domain] targets and references – aisrael[.]org (DDoS target), https://github.com/hoaan1995/ZxCDDoS/ (repo referenced in ddos.txt)
  • [File Name] malicious files – Chrome.apk (SpyNote sample), ddos.py (Python DDoS script), crypto.html (ransom note), and other files listed on the server

The server’s technical footprint shows a clear operational workflow: the attacker provided automation (ddos.txt) to bootstrap Debian/Ubuntu systems by installing Git, Golang, Python (2/3), pip, Node.js, and required libraries, then cloning the ZxCDDoS repository and running its c2.py to launch coordinated DDoS activity. The included ddos.py is a simple multi-threaded Python script that repeatedly issues HTTP GET requests to a hardcoded target (aisrael[.]org) using the requests library and prints status codes; ddos.txt also contains ulimit tweaks, chmod operations, and dependency installation to ensure the environment can run high-concurrency attacks.

Mobile compromise and credential-harvesting workflows are evident in the APK samples and HTML pages. Chrome.apk and Telegram(3).apk are SpyNote variants configured to reach a DigitalOcean-hosted C2 at 142.93.113[.]245:7771; the rn.apk sample is flagged as riskware but was hosted alongside SpyNote samples. Phishing pages impersonating Binance, Coinbase, Kraken, and WeChat capture login data and unlock patterns; some pages forward collected patterns/PINs to a Telegram account, while HTML source references EagleSpy RAT for remote control and data theft.

Ransomware/extortion handling appears to be staged via web-based splash and payment pages (ransomware.html → crypto.html). The ransom note requests payment in BTC with a provided address that appears misformatted for the declared token, suggesting either a work-in-progress or operational error. Response and containment should prioritize blocking the listed IPs and C2 ports, blacklisting the provided SHA-256 hashes and filenames, and taking down the hosting open directory to prevent further distribution.

Read more: https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint