A crypto mining botnet operation, going for almost a year, is hijacking web shells of other hackers, according to report from Positive Technologies. Researchers have linked the source of the dangerous botnet to Neutrino gang.
Back in 2017, Neutrino (aka Kasidet) was a dangerous trojan that launched DDoS attacks, recorded keystrokes and installed malware on desktops. However, the people behind Neutrino went off the radar for a long time.
However, it appears like the group is back. And this time, its target seems to be other malware botnet’s infected hosts. According to the researchers at Positive Technologies, Neutrino has been searching the web for different types of PHP web shells to hijack.
Web shells are malicious scripts that hackers plant in web applications that they have already compromised. The purpose is to maintain persistent access to enable malicious tasks remotely.
According to the report, the Neutrino botnet complies a list of web shells and launches brute force attacks to gain access. The process includes attempts to guess the web shells’ login credentials and then hijacking the shells and their underlying servers. The operation started in early 2018 when the hackers began searching for random IP addresses, particularly for locating web apps and servers to infect.
Researchers write that the botnet has been successful in targeting Windows servers running phpStudy(a learning environment popular among Chinese developers). Other than that, researchers also spotted usual botnet activities such as exploiting vulnerabilities, brute forcing into root accounts for phpMyAdmin, Tomcat, and MS-SQL systems.