Zerobot is a Go-based IoT botnet observed by FortiGuard Labs that exploits multiple vulnerabilities to infect devices, self-replicate, and propagate using various protocols. It communicates with a WebSocket-based C2 and has evolved to include a selfRepo module…
Tag: IOT
IoT botnets are increasingly evading detection as attackers modify malware to hide from analysts, using UPX packing, ELF header changes, and other anti-analysis tricks. The study of 728 IoT samples collected from honeypots over 15 days also shows how attackers…
Microsoft researchers warn that vulnerable Boa web servers embedded in IoT SDKs create supply-chain risk across critical infrastructure by enabling attackers to silently access networks and gather information. The post highlights Boa prevalence, CVEs in RealTe…
FortiGuard Labs reports that RapperBot has re-emerged in October 2022 as a DDoS-focused IoT botnet aimed at game servers, leveraging Telnet brute-forcing with embedded credentials to propagate. The campaign maintains a similar C2 protocol to earlier RapperBot …
Daixin Team is a ransomware and data extortion group focused on Healthcare and Public Health sector targets in the U.S., using VPN compromises and credential theft to deploy ransomware on ESXi servers and exfiltrate data. The FBI/CISA/HHS advisory details TTPs…
In April, VMware patched CVE-2022-22954, but attacks exploiting remote code execution via server-side template injection persisted, delivering Mirai variants, RAR1Ransom, and GuardMiner payloads to exposed VMware Workspace ONE Access and Identity Manager insta…
Domain shadowing is a stealth DNS hijacking technique where attackers create malicious subdomains under compromised domains, leveraging their benign reputation to carry out phishing, malware distribution, and C2 activities. Palo Alto Networks introduces an aut…
Trend Micro’s analysis shows active exploitation of CVE-2022-26134 in Atlassian Confluence servers for cryptocurrency mining and other malware. The attacker uses an OGNL payload to trigger remote code execution, downloads ro.sh and ap.sh scripts, and ultimatel…
Arctic Wolf Labs analyzed a Lorenz ransomware intrusion that exploited CVE-2022-29499 on a Mitel MiVoice Connect appliance to gain initial access and deploy encryption with BitLocker. The attackers used LOLBins, Chisel tunneling, and FileZilla for data exfiltr…
Unit 42 researchers describe MooBot, a Mirai variant, that leverages four D-Link vulnerabilities to seize control of exposed devices and deploy a botnet for DDoS attacks. The campaign downloads MooBot from a remote host, communicates with a C2 server, and incl…
FortiGuard Labs tracks RapperBot, a rapidly evolving IoT malware family that borrows heavily from Mirai but switches from Telnet to SSH brute forcing for initial access on Linux devices. The campaign shows notable persistence and credential-access capabilities…
Dark Utilities is a C2-as-a-Service platform released in early 2022 that provides remote access, DDoS, and cryptocurrency mining capabilities, with payloads for Windows, Linux, and Python hosted on IPFS to resist takedowns. Since launch, malware samples have r…
Symbiote hooks libc and libpcap to hide its activity on Linux, including hiding processes, files, and network connections. It steals credentials from SSH/SCP by hooking the libc read function, encrypts them with RC4, stores them locally, and exfiltrates via DN…
This joint Cybersecurity Advisory explains that Maui ransomware has been used by North Korean state-sponsored actors since May 2021 to target Healthcare and Public Health sector organizations, detailing TTPs and IOCs. It urges mitigations and reporting, and wa…
Symbiote is a highly evasive Linux threat that infects running processes by loading as a shared object via LD_PRELOAD to gain rootkit capabilities and remote access. Researchers describe its stealthy behavior—hiding itself and other malware, evading live foren…