A Botnet Capable of Performing DDoS, Ransomware, and Bruteforce Attacks
Since 2016, Mirai has been an active botnet that targets networking devices running Linux with vulnerabilities. The botnet takes advantage of these vulnerabilities in devices such as routers, IP cameras, and IoT devices to exploit them and gain complete control over the machine. With this control, Mirai can carry out various malicious activities, including Distributed Denial of Service (DDoS) attacks and downloading additional malware.
Cyble Research and Intelligence Labs (CRIL) has been keeping a close eye on the actions of the MiraiBot and monitoring its behavior.
Below are the statistics of the Mirai botnet attacks observed in Jan-2023 through the Cyble Global Sensor Intelligence (CGSI).
Recently, CRIL uncovered a variant of the Mirai botnet (sha256: 2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5c) that was downloading and propagating a new botnet called the “Medusa Botnet”. When run, the Mirai botnet connects to the command and control server and retrieves the “medusa_stealer.sh” file, which it then executes.
The figure below illustrates the malware’s communication with its Command and Control (C&C) IP address.
The downloaded medusa_stealer.sh file contains the commands to download and execute Medusa malware files on Linux machines.
The content of the medusa_stealer.sh is shown below.
At the time of analysis, the download links were unavailable. However, based on the C&C communication pattern, researchers at CRIL were able to identify the Python source code of the Medusa botnet. The technical details section provides an overview of the features of the Medusa botnet, which is written in Python.
Medusa Botnet Client
The medusa botnet client receives four parameters: method, IP, port, and timeout, as shown below.
- Method: This parameter receives various commands from the C&C server to perform malicious activities such as DDoS attacks, Ransomware, brute force Attack, etc.
- IP: IP address of the victim
- Port: Port Number of the Victim
- Timeout: Timeout of the attack
The Medusa Botnet has the ability to launch Distributed Denial of Service (DDoS) attacks on various levels of the network hierarchy, including Layer 3, Layer 4, and Layer 7. These attacks can be carried out either by using spoofed IP addresses or the IP address of the victim’s machine where the client is installed. The botnet employs the spoofer() function to generate random IP addresses, making it challenging for the victims to determine the origin of the DDoS attack.
The figure below illustrates the code for the spoofer() function.
The malware can execute the following DDoS attacks on different levels of the network layer.
|SPOOFING ATTACK METHODS||NO-SPOOFING ATTACK METHODS|
|gre_spoof, icmp_spoof, udp_spoof, syn_spoof, ack_spoof, fin_spoof, rst_spoof, psh_spoof, http_get_flood, http_raw_flood, cloudflare_browser_flood||gre_no_spoof, udp_no_spoof, handshake_no_spoof, ack_no_spoof, fin_no_spoof, rst_no_spoof, psh_no_spoof, syn_no_spoof|
The Medusa botnet can launch ransomware attacks on target machines using the MedusaRansomware() function. This function searches all the directories for files with the extensions specified in the “extensions” list and then encrypts them by adding the “.medusastealer” extension to their file name.
The ransomware encrypts the victim files with a Python library that allows files to be encrypted with an AES 256-bit encryption key. It will not encrypt system files and already encrypted files.
The figure below shows the list of extensions targeted in the system by MedusaRansomware.
The below figure shows the code snippet of the MedusaRansomware() function used for file encryption.
The Ransomware also sleeps for 24 hours after encrypting the files and forcefully deletes all the files present in the system drives, as shown below.
Finally, the ransomware function displays the ransom note containing instructions to recover the victim’s encrypted files, as shown below.
The ransomware code is designed to display a ransom note after the files have been destroyed, and it appears to be faulty in its implementation.
BruteForce Attack and Additional Payload injection
The medusa bot can carry out bruteforce attacks on Telnet services running on internet-connected devices using the ScanWorld function. It performs a brute force attack and injects an additional payload using the following steps:
- It starts by defining two lists, username_scanner, and password_scanner, that contain commonly used usernames and passwords.
- It then downloads a payload file “client-tcp” using “wget” (URL: hxxps[:]//medusa-stealer[.]cc/payload/client-tcp) and saves it in the variable infection_medusa_stealer. The download link was unavailable during the analysis, so the exact purpose of “client-tcp” is not yet known.
- The function then executes the zmap command to scan for internet-connected devices with Telnet services running on port 23 and stores the results in a file “zmap.txt”.
- It then reads the IP addresses from “zmap.txt” and tries to connect to the Telnet services running on those IPs.
- The function tries all combinations of usernames and passwords for each IP address from the username_scanner and password_scanner lists.
- If a Telnet connection is established, the function sends the malicious payload, infection_medusa_stealer, to the connected system using a bruteforce attack.
The below figure shows the code snippet of the Scanworld() function used for brute-force attacks on Telnet services.
FivemBackdoor and SSH Login
The Medusa botnet is equipped to receive commands “FivemBackdoor” and “sshlogin”, allowing for backdoor access and SSH login attempts. However, the lack of corresponding code in the client Python file indicates that the Medusa botnet is either still in its development stage or the analyzed files are incomplete.
The send_data() function is used to collect various information about the system and sends it to the remote server at “hxxps://medusa-stealer[.]cc/add/bot”. The send_data() function calls the all_data_system() function internally, which collects information such as the username, hostname, IP address, operating system, CPU and RAM usage, Total number of CPU cores, and unique identifier of the system. This collected information is stored in a dictionary variable ‘data’ and returned by the function.
The send_data() function further sends the victim’s stolen information to the remote server using the POST method along with a custom “User-Agent” header “medusa-stealer/1.0”. The below image shows the code snippet of the Send_data() function used for Exfiltration.
With the growing popularity of Linux machines, Threat Actors have improved their methods for attacking these systems. In this scenario, the Threat Actors are using the well-known Mirai Linux botnet to drop a new malware called the Medusa botnet, which not only has DDoS capabilities but can also carry out ransomware attack, brute force attack, download additional payload, and steals sensitive information from the victims’ machine.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Update and upgrade your computer, mobile, and other connected devices.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Discovery||T1518.001||Security Software Discovery|
|Command and Control||T1071||Application Layer Protocol|
|Command and Control||T1095||Non-Application Layer Protocol|
|Command and Control||T1571||Non-Standard Port|
Indicators of Compromise (IOCs)
|2491bb75c8a3d3b8728ab46a933cd81f8176c1f9d7292faeecea67d71ce87b5c||SHA256||Mirai Binary (medusa_stealer.x86)|
|54c67bb062d73ae9fabf5f0e1e2136e05cb6e69b||SHA1||Mirai Binary (medusa_stealer.x86)|
|ed64d941fd8603196c0e31ae58c1992d||MD5||Mirai Binary (medusa_stealer.x86)|
|hxxp://45.145.167[.]117/medusa_stealer.sh||URL||URL Delivering medusa_stealer.sh File|
|2f2759b5933f06c9fdbc87ea941e8ef53ea0e3b715afd57de52ed2927d197c33||SHA256||Malicious Python Script (clientv2.py)|
|088332f4ff6b6a12f094a429d6f60ec500d3d85b||SHA1||Malicious Python Script (clientv2.py)|
|336674857b5ede1e09daeff1a14adedc||MD5||Malicious Python Script (clientv2.py)|
|bce94b214a6bae00b03ada34c66210d9143895d6c0be9e21c10e9951cc469fbf||SHA256||Malicious Python Script (clientv2.py)|
|dc6ea04feb31eb9539f577d7965d0fb925dd7e52||SHA1||Malicious Python Script (clientv2.py)|
|ed24c7c0b73887e35f1c12ab0dda98fe||MD5||Malicious Python Script (clientv2.py)|
|48f5f09ddd7089a9397d26e219eb1a1a937c3238f7ecdc7cdfc5383141d77ad9||SHA256||Malicious Python Script (clientv2.py)|
|3bcbc498de18d91a1d05e428fa94e4145959fbd2||SHA1||Malicious Python Script (clientv2.py)|
|14655930fab2319ff9cd5187a0caa242||MD5||Malicious Python Script (clientv2.py)|
|5799ee35a334f839bb666a0136ca2615390d0b7fb6a14875bafbfab3414045e9||SHA256||Malicious Python Script (clientv2.py)|
|b2134b18e827402378da09a8dcd9da92509e8131||SHA1||Malicious Python Script (clientv2.py)|
|1eee2293e51b01300c75b649715e472d||MD5||Malicious Python Script (clientv2.py)|
|medusa-stealer[.]cc||URL||Medusa C&C Server URL|