botnet Archives

AppWizard

March 8, 2025

Badbox is back and a million Android devices were backdoored

Human Security's Satori research team has discovered a new variant of the Badbox malware, known as Badbox 2.0, which has infected nearly a million Android devices, forming a large botnet. This follows the initial outbreak in 2023, where around 74,000 devices were compromised. Badbox 2.0 targets devices running the Android Open Source Project (AOSP), including off-brand smartphones, internet-connected TV boxes, automotive tablets, and digital projectors. Over 200 applications infected with malware have been identified, primarily hosted on third-party app stores, often mimicking legitimate apps from Google’s Play Store. The operation is believed to involve collaboration among four distinct criminal factions, with all infected devices traced back to China. The botnet monetizes through hidden advertisements and ad-click fraud, while also having the capability to steal passwords from infected devices. Efforts by Human Security, Google, Trend Micro, and Shadowserver Foundation have reduced the number of infected devices by half. Many malware modules were labeled "test," indicating the botnet was still developing, and it is expected that the operators will attempt to revive their network using altered tactics. Additionally, a new variant of Mirai malware, named Eleven11bot, has emerged, compromising thousands of devices, particularly targeting HiSilicon-based hardware.

AppWizard

March 6, 2025

BadBox Malware Infects 50,000+ Android Devices via 24 Apps on Google Play

HUMAN's Satori Threat Intelligence and Research team has identified a cyberattack named "BADBOX 2.0," which has compromised over 1 million consumer devices globally through 24 malicious applications on the Google Play Store. The operation utilizes a backdoor called BB2DOOR for persistent access to infected devices, primarily distributed via pre-installed apps on low-cost Android devices and third-party marketplaces. Four threat actor groups—SalesTracker Group, MoYu Group, Lemon Group, and LongTV—collaborate in this operation, which supports fraudulent activities such as residential proxy services, programmatic ad fraud, and click fraud, generating up to 5 billion fraudulent bid requests weekly. Despite efforts by HUMAN and Google to disrupt BADBOX 2.0, the threat actors may continue their operations due to the resilience of their supply chain. Users are advised to download apps only from official marketplaces to reduce infection risks.

Winsage

March 4, 2025

CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about a command injection vulnerability (CVE-2023-20118) affecting Cisco Small Business RV Series Routers, which are end-of-life. This vulnerability, rated 6.5 on the CVSSv3.1 scale, allows authenticated attackers to execute arbitrary commands with root privileges. The affected models include RV016, RV042, RV042G, RV082, RV320, and RV325, running firmware versions released before April 2023. Cisco will not provide patches for these devices. CISA mandates that federal agencies either implement mitigations or stop using the routers by March 24, 2025. Private organizations are also encouraged to address the issue, especially due to exploitation attempts linked to the PolarEdge botnet campaign. Administrators are advised to restrict administrative access, monitor logs for unusual activity, and consider decommissioning affected devices. The continued use of unpatched routers poses significant risks to critical infrastructure, particularly in small business and remote work environments.

AppWizard

September 25, 2024

Google Play Infected! 11 Million Devices Hit by Botnet Malware – Jason Deegan

Five years ago, a legitimate Android application on the Google Play Store was compromised, connecting 100 million devices to hacker-controlled servers due to malicious code introduced through a library for ad revenue generation. Recently, Kaspersky researchers discovered two new infected applications on the Google Play Store, downloaded 11 million times, linked to a rogue software development kit (SDK) used for ad integration. The malware, named Necro, utilized advanced techniques including steganography and established connections with command-and-control servers to harvest user data and download harmful code. The infected applications included Wuta Camera, which had 10 million downloads, and Max Browser, with 1 million downloads, both of which have since been removed or updated to eliminate the malicious components. Necro has also been found in various Android apps in alternative marketplaces, often disguised as modified versions of legitimate applications.

AppWizard

September 24, 2024

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Altered versions of popular Android applications, including Spotify, WhatsApp, and Minecraft, have been identified as carriers of a new iteration of the malware loader, Necro. Kaspersky reported that these malicious apps were available on the Google Play Store, collectively achieving 11 million downloads. Notable examples include Wuta Camera, which has over 10 million downloads, and Max Browser, which has over 1 million downloads. Max Browser has been removed from the Play Store, while Wuta Camera has been updated to eliminate the malware. The compromised applications are suspected to have been affected by a rogue software development kit (SDK) used for advertising integration. Necro, first discovered in 2019 within the CamScanner app, employs advanced obfuscation techniques, including steganography, to evade detection. It can display ads, download and execute arbitrary files, and run a tunnel through the victim's device. Necro is primarily distributed through modified versions of popular applications found on unofficial websites. Upon installation, these apps initialize a module called Coral SDK, which communicates with a remote server to extract a malicious payload. The malware's capabilities are enhanced through additional modules downloaded from a command-and-control server. Kaspersky's telemetry data indicates that over ten thousand Necro attacks were thwarted globally between August 26 and September 15, 2024, with Russia, Brazil, and Vietnam being among the most affected regions. The new version of Necro is characterized as a multi-stage loader that uses steganography and modular architecture, allowing for flexible updates and new malicious features.

Winsage

September 5, 2024

Critical remote code execution vulnerability discovered in Microsoft Windows Wi-Fi drivers

A critical remote code execution (RCE) vulnerability, designated as CVE-2024-30078, has been identified in the Wi-Fi drivers of various Microsoft Windows versions, affecting over 1.6 billion active devices globally. This vulnerability is present in Windows 10, Windows 11, and several Windows Server versions, specifically within the Dot11Translate80211ToEthernetNdisPacket() function of the native Wi-Fi driver (nwifi.sys). It has been actively exploited in regions like the United States, China, and parts of Europe, posing risks to industries reliant on Wi-Fi networks and Windows infrastructure. The vulnerability allows attackers to send specially crafted network packets to gain unauthorized access without requiring advanced techniques or user interaction. The root cause is a flaw in the Link Layer Control (LLC) component of the network stack related to packet length management when using Virtual LAN (VLAN), leading to potential out-of-bounds reads and arbitrary code execution. Successful exploitation can result in malware installation, lateral movement within networks, botnet recruitment, and data exfiltration. Microsoft released a security patch in June 2024 to address this vulnerability. Recommended mitigation strategies include timely patch application, implementing WPA3, using strong passwords, network segmentation, deploying intrusion detection and prevention systems, conducting regular security audits, user education on cybersecurity best practices, and adopting a zero-trust security model.

AppWizard

September 2, 2024

Record-Breaking 3.15 Billion Packets Per Second DDOS Attack Towards Minecraft Server

Global Secure Layer (GSL) successfully mitigated a historic Distributed Denial of Service (DDoS) attack on a Minecraft gaming server that peaked at 3.15 billion packets per second (Gpps) on August 25, 2024. The attack had a bitrate of 849 Gbps and was the largest DDoS attack publicly recorded, surpassing previous records by 3.2 to 3.5 times. It was preceded by a smaller attack peaking at 1.7 Gpps, which likely served as reconnaissance for the larger assault. The attack originated from regions including Russia, Vietnam, and Korea, with significant traffic contributions from Korea Telecom and vulnerabilities in MAX-G866ac devices linked to CVE-2023-2231. GSL's mitigation strategies included reconfiguring targeted prefixes within 15 minutes and employing a heuristics anomaly detection engine, resulting in mitigation times of less than 100 milliseconds.

AppWizard

August 29, 2024

The “largest ever” DDOS attack was reportedly the “carpet bombing” of a Minecraft server weathering 3.15 billion packets per second from Russia and 17 other countries

Global Secure Layer reported a DDoS attack on August 25 that reached 3.15 billion packets per second (PPS), targeting a Minecraft gaming customer. The attack originated from a botnet primarily based in Russia, with traffic from 17 other countries. This incident is the largest publicly reported packet rate attack, exceeding previous records by a factor of 3.2 to 3.5 times. The attack occurred in two phases, starting with a preliminary strike on August 24 that peaked at 1.7 Gbps, followed by a full-scale attack the next day. The attack lasted just over an hour, with the highest botnet activity recorded in Russia, Vietnam, and South Korea, which accounted for 42.8% of the total traffic. A total of 42,209 sources were identified in the attack.