Delaware, USA – May 25, 2018 – Adversaries use Brain Food botnet primarily is spam campaigns leading users to sites with fictitious diets or intelligence boosting pills. The first campaigns of this botnet were discovered back in March 2017, but due to their “harmlessness,” Brain Food did not attract particular attention. Recently, researchers from Proofpoint studied this botnet and published the report that includes indicators of compromise. Brain Food is a PHP script that hackers install on a compromised website. Each website can contain multiple copies of the script that serves as a backdoor allowing adversaries to execute code remotely, but they mostly use it to redirect users to fake pages on other compromised sites. The PHP script is polymorphic, and it can avoid automatic indexing by search engines. The botnet is a serious threat to infected websites because attackers can at any time execute any malicious code via PHP backdoor.
The researchers found more than 5,000 compromised sites included in this botnet, and almost half of them were involved in spam campaigns during last week. It is not known how attackers gain access to websites and what vulnerabilities they exploit, as hacked sites use different content management systems. This botnet is created by highly skilled hackers who can use compromised sites for more ominous purposes. You can monitor the security of your websites with ArcSight and Web Application Security Framework, which helps detect breach attempts and web application misuse.