Neutrino Botnet Seizes Web Shells of Other Hackers

Positive Technologies experts said that Neutrino’s operators changed their tactics and for more than a year Neutrino botnet seizes web shells of other hackers and infecting not ordinary users, but servers.

Analysts write that the next round of development of the malware began in 2018. If earlier this malware was spreading through email attachments and exploit kits, now it has tried the role of a botnet that scans the network, searches for various web applications and servers, brute-force administrative panels, searches for shells and exploits vulnerabilities.

Apparently, all this is done for the sake of mining cryptocurrency on infected servers.

“The Neutrino botnet has a clear organizational structure: while some infected hosts are used for cryptocurrency mining and scanning the Internet, others serve as proxies”, – Positive Technologies experts say.

Neutrino uses a variety of methods to hack servers, from exploits for old and new vulnerabilities, to discover phpMyAdmin servers left without a password, and brute-forcing of root-account of phpMyAdmin, Tomcat and MS-SQL.

However, in the behavior of the updated Neutrino, one could notice very strange things that were not typical for ordinary botnets. For example, the search for open Ethereum nodes that in June 2018 allowed attackers to steal $ 20 million.

Neutrino also not only deals with brute force and exploitation of various bugs, but also devotes a lot of time to hacking web shells. The list included 159 addresses with unique parameters (PHP and JSP-shells), and the malware tried to execute simple commands and, in fact, brute-force the “competitors” shells.

Experts summarize that currently Neutrino is one of the three leaders in the number of attacks on company’s hanipots. These are bruteforce admin panels, brute force shell exploitation and exploitation of vulnerabilities.

By scanning more than ten vulnerabilities and competitor shells, Neutrino already consists of tens of thousands of bots. And most of them are Windows systems with phpStudy, which he uses to mine Monero cryptocurrencies. Malware’s code is regularly updated with checks for new exploits.

Read also: Cybercriminals carry out a coordinated ransomware attack on Texas municipal authorities

For example, on the same day that a fresh exploit for ThinkPHP was published, researchers discovered a new version of Neutrino.

Despite this, we can say that Neutrino behaves cautiously: it executes code from memory, uses a multistage shell check before executing the code, and also hosts control servers on the infected servers themselves. In fact, it is possible to detect its presence only by specific network requests. So Neutrino Botnet seizes web shells.