botnet (11)

10807500276?profile=RESIZE_400xPalo Alto Networks’ Unit 42 researchers have reported the emergence of a new Mirai botnet variant called MooBot.  This variant is looking for unpatched D-Link devices to create its army of DDoS (distributed denial of service) bots.  For compromising vulnerable D-Link routers, MooBot uses multiple exploits.

Re-Emergence of Notorious MooBot:  The MooBot botnet was first discovered by Qihoo 360’s Netlab in Sep 2019, whereas the most recent wave of attacks involving MooBot, before the one detected b

10673501259?profile=RESIZE_400xFor the past month, a crimeware (crypto-mining) group infamously known as the 8220 Gang has expanded their botnet to roughly 30,000 global hosts.  This through the use of Linux and common cloud application vulnerabilities and poorly secured configurations.  In a recent campaign, the group was observed making use of a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script. 

Link to full report, with IOCs: IR-22-208-001_8220Gang.pdf

[1] https://www.sentinelon

9546806300?profile=RESIZE_400xValyria malware is a trojan distributed by phishing email attacks seemingly targeting business emails, commonly using the words “Invoice,” “Order,” or “Report” in the subject line. 

Among these emails, there is a strong resurgence of tactics, techniques, and procedures (TTP’s) previously known to be employed by the Gorgon Group with the MasterMana Botnet.

Link to full technical report: TIR-21-224-001_Val.pdf

8820016295?profile=RESIZE_400xPurple Fox is the name of a malware downloader, a malicious program that proliferates other programs of this type.  This malware is used to infect systems with cryptocurrency mining programs.  Purple Fox can cause serious damage and must be uninstalled immediately.  An example of malware that could be installed through Purple Fox is ransomware.  These programs encrypt files and prevent victims from accessing them unless ransoms are paid or confidential information is disclosed and offered for sa

8508398465?profile=RESIZE_400xIn late January, a new botnet campaign was discovered targeting unpatched software running on Linux devices with recent code execution CVEs.  Once a device is compromised, the bot downloads and executes a malicious Python script that joins the compromised device to the botnet.  The botnet is controlled by attackers using Internet Relay Chat (IRC) and enables the attackers to perform DDoS attacks and run crypto miner software on infected devices.  Updates are available to patch all CVEs exploited


The IoTReaper, a.k.a. IoTroop, botnet was discovered in 2017, and remains a significant threat to the cyber domain. Check Point Research completed a thorough investigation of the malware when it was discovered in 2017, but researchers have still seen no sign that the botnet has been activated to conduct a significant DDoS attack, similar to that seen against Dyn in 2016. In 2016, a DDos coming from the Mirai botnet triggered a shutdown of services across the country and analysts believe


Mirai is a self-propagating malware that infects networked devices and turns them into remotely controlled bots.  Targets include devices in the Internet of Things (IoT) such as IP cameras and home routers and access is achieved with either software exploits or via authentication with factory default credentials. Mirai is frequently updated to include new exploits making it difficult to mitigate.

This report provides cluster trending on infrastructure over the past several weeks from this repor

Summary Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism. As of March 2019, Smominru showed no signs of slowing down. Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days. This report provides a high-level overview
On 13 February 2019, Bank of Valletta (BOV) employees discovered the hackers' intrusion and temporarily shut down all BOV IT systems. Wapack Labs analysis shows a continued heightened risk for BOV - primarily due exposed plain text employees’ passwords, signs of botnet connections from the BOV networks, incoming malicious emails, to inherent industry targeting, and a shared IT infrastructure with a French shipping company
ProxyLTE, a supplier of US based mobile and home router proxies, has been identified as one component in a large-scale fraud, targeting a Wapack Labs’ client. was created in late 2017, however associated malware was first observed in 2013. This report includes details on ProxyLTE malware and associated infrastructure.

2019 Cyber Security Threat and Vulnerability Predictions

This report outlines our predictions regarding cyber threats and vulnerabilities for 2019.  We base those on the trends Wapack Labs were observing during 2018.  The main topics are artificial intelligence, IoT and mobile, cryptocurrency cybercrime, APT activity, and eCommerce targeting.

  1. Smarter Computing: Swarm, AI and Quantum

Quantum Computing

IBM-Q allows access to its quantum computer for research and testing. Quantum computing will revolut