PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator – ASEC BLOG

MITRE Techniques

• [T1036] Masquerading – The installer and filenames are designed to look legitimate (Nitro Generator-related names) to disguise malicious activity. “The first distributed malware is an installer type malware created using DRPU Setup Creator … distributing the installer using filenames such as “nitrogen.exe” or “ntrg.exe.””
• [T1547.001] Boot or Logon Autostart Execution: Startup Folder – The downloader creates a startup shortcut so that p.exe (the PYbot) runs after reboot. “and creates a shortcut in the startup folder so that ‘p.exe,’ which is the PYbot, can run even after rebooting.”
• [T1105] Ingress Tool Transfer – Downloader retrieves and executes additional payload from an external source. “It downloads and executes ‘p.exe’ and ‘n.exe’ in the %TEMP% path and creates a shortcut in the startup folder…”
• [T1071.001] Web Protocols – C2 communications and download/payload retrieval occur over web-based channels, including a C2 URL. “C&C URL – cnc.dotxyz[.]cf:666 : PYbot”
• [T1588.002] Acquire Infrastructure – Use of illegal/disguised tooling and distribution infrastructure (Nitro Generator/Discord Nitro theme) to deliver malware. “Nitro Generator is a tool that generates codes that can be used for free access to Nitro.”
• [T1499] Endpoint Denial of Service – The Pybot DDoS bot implements multiple flood types to perform DDoS attacks. “”The DDoS Bot malware PYbot supports various DDoS attack features, allowing it to not only handle basic layer 4 attacks like TCP Flood, TCP SYN Flood, and UPD Flood, but also VSE Flood and HTTP GET Requese Flood attacks.”