Security Weekly 34: Bots for GTA fans, Malicious Add-On For Chrome With Yandex Technologies
Recently, a new IoT botnet was discovered. It was created, apparently, by a big fan of GTA: the command server is hosted in the domain of fan multiplayer mods for GTA San Andreas. In addition to hosting the self-serving servers of San Andreas, the site can be ordered DDoS-attack for a moderate fee (from $ 20). The new JenX botnet was called, due to a working binary file with a gentle girl’s name Jennifer.
Breeder JenX did not reinvent the wheel, rather, on the contrary, scraped on the user. For the recruitment of new bots, malware exploits vulnerabilities in Realtek and Huawei routers (the code for the corresponding exploits was published by the author of the infamous BrickerBot in free access). In addition, JenX uses code obfuscation via the XOR logical function with the same key as PureMasuta – the source code for this malware was not accessed, but it was published on a dark forum with invitation-only access. In addition, reverse-engineering also revealed continuity with Mirai.
- However, unlike the aforementioned analogs, JenX’s combat load does not have a code for scanning the network and exploiting the vulnerabilities. All vulnerable devices are looking for a server, and it also performs RCE attacks.
On the one hand, this does not allow the botnet to grow exponentially, as most others grow. On the other hand, removing scan functions and exploits from a distributed malware, hackers can make these functions themselves more sophisticated, and also partially or fully automate them using higher-level languages and a library system. Plus, centralized command servers produce less “noise” than exponential spread; such a botnet is more difficult to detect. And if somebody raises the noise (like now) and the shop has to be temporarily covered up, then the centralized servers are easier to transfer and hide.
- The owners of the botnet are trying to earn primarily on the dissatisfied users of multiplayer mods, whose hands are itching to order a DDoS attack on the server, where they were offended (for example, banned). At least, such attacks on fan servers, in which players are suspected by JenX, have already been noticed. Such is the “gang wars”.
But the botnet can be redirected equally well to something else, more profitable. The power of garbage traffic is not just that grandiose – only 290 Gb/s. But for a server, a small company will be enough with a vengeance, and for twenty dollars, why not engage in amateur cyberterrorism?
Shock! Extensions for Chrome monitor every step of users … using Yandex technologies
You do not have to be a system analyst to understand: if quite respectable web analytics tools for recording a user’s session record absolutely every click that a user makes on the site, and send this data to completely legitimate servers for a perfectly respectable purpose (for example, marketing analysis), in this radiant chain, sooner or later somebody will not be so white and fluffy. And legitimate tools for collecting statistics will begin to be used for evil.
- This is exactly what happened with the service “Yandex.Metrica”, one of the libraries of which the attackers used in malicious add-ons for Google Chrome. The Yandex tool does not save the entered passwords, but as you know, the light did not come together with them: all the same, when recording a session, you can get a lot of interesting information, for example, all the data of the user’s credit card. You just have to wait until he goes to the website of the online store.
As the researchers found, the add-ons were distributed centrally. The hacker group that did this was called Droidclub, by the name of one of the command servers. It is not known whether the attackers sold stolen information about user actions, but they were unlikely to just play with users in “I know what you did last summer”. The commercial vein of these cybercriminals is exactly – they used the same extensions to display advertisements, and the earlier add-ons of the group were surreptitiously installed by Monero miners.
In total, IB researchers found 89 variants of such add-ons, literally for every taste. The names and descriptions of the extensions were generated randomly – and the more surprisingly, they were downloaded and installed a total of 423,000 times, while the Google team deleted them so quickly that many did not last a day. No, “fresh smell for laundry”, of course, it’s a good thing, but to use as a deodorant addition to the browser – it’s something from a late cyberpunk.