Delaware, USA – April 1, 2019 – Even though researchers have documented a significant decline in the popularity of DDoS attacks, which is also caused by recent lawsuits over botnet operators and ‘stresser’ services, the adversaries continue to improve DDoS’er malware threats. A recently published article by the MalwareMustDie team reviews ELF malware that is known since 2014 and regularly receives updates from its authors. The malware is developed to attack Linux x86_32 devices to achieve persistence and drop Elknot trojan for DDoS attacks. In addition to significant changes in the code of the installer, adversaries started to use the new command and control scheme, which abuses low-protected Windows servers. After the device is compromised, the ELF malware sends to its command and control server system info grabbed from the infected device along with the hard-coded identifier. Now, any communication with C&C is encrypted, and the malware contains a module for installing updates downloaded from the C&C server. Analysis of DDoS’er malware and C&C tool indicates that their creators are Chinese-speaking hackers who know their business well.
After a significant surge of DDoS attacks abusing the Memcached protocol in March last year, the number of such attacks is on the wane, but similar botnets still pose a real threat to organizations. In order to detect signs of infection of devices in your organization, you can use the Netflow Security Monitor rule pack that enables monitoring of data flows and notifies SIEM administrator of any suspicious deviations: https://my.socprime.com/en/integrations/netflow-security-monitor-arcsight