On Saturday, July 6, Canonical's GitHub account, the developer of the popular Linux Ubuntu distribution,…
Apparently, all this is done for the sake of mining cryptocurrency on infected servers.
“The Neutrino botnet has a clear organizational structure: while some infected hosts are used for cryptocurrency mining and scanning the Internet, others serve as proxies”, – Positive Technologies experts say.
Neutrino uses a variety of methods to hack servers, from exploits for old and new vulnerabilities, to discover phpMyAdmin servers left without a password, and brute-forcing of root-account of phpMyAdmin, Tomcat and MS-SQL.
However, in the behavior of the updated Neutrino, one could notice very strange things that were not typical for ordinary botnets. For example, the search for open Ethereum nodes that in June 2018 allowed attackers to steal $ 20 million.
Neutrino also not only deals with brute force and exploitation of various bugs, but also devotes a lot of time to hacking web shells. The list included 159 addresses with unique parameters (PHP and JSP-shells), and the malware tried to execute simple commands and, in fact, brute-force the “competitors” shells.
Experts summarize that currently Neutrino is one of the three leaders in the number of attacks on company’s hanipots. These are bruteforce admin panels, brute force shell exploitation and exploitation of vulnerabilities.
By scanning more than ten vulnerabilities and competitor shells, Neutrino already consists of tens of thousands of bots. And most of them are Windows systems with phpStudy, which he uses to mine Monero cryptocurrencies. Malware’s code is regularly updated with checks for new exploits.
Read also: Cybercriminals carry out a coordinated ransomware attack on Texas municipal authorities
For example, on the same day that a fresh exploit for ThinkPHP was published, researchers discovered a new version of Neutrino.
Despite this, we can say that Neutrino behaves cautiously: it executes code from memory, uses a multistage shell check before executing the code, and also hosts control servers on the infected servers themselves. In fact, it is possible to detect its presence only by specific network requests. So Neutrino Botnet seizes web shells.
Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…
Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…
Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…
Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…
News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…
Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…