botnet Archives

AppWizard

September 25, 2024

Google Play Infected! 11 Million Devices Hit by Botnet Malware – Jason Deegan

Five years ago, a legitimate Android application on the Google Play Store was compromised, connecting 100 million devices to hacker-controlled servers due to malicious code introduced through a library for ad revenue generation. Recently, Kaspersky researchers discovered two new infected applications on the Google Play Store, downloaded 11 million times, linked to a rogue software development kit (SDK) used for ad integration. The malware, named Necro, utilized advanced techniques including steganography and established connections with command-and-control servers to harvest user data and download harmful code. The infected applications included Wuta Camera, which had 10 million downloads, and Max Browser, with 1 million downloads, both of which have since been removed or updated to eliminate the malicious components. Necro has also been found in various Android apps in alternative marketplaces, often disguised as modified versions of legitimate applications.

AppWizard

September 24, 2024

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Altered versions of popular Android applications, including Spotify, WhatsApp, and Minecraft, have been identified as carriers of a new iteration of the malware loader, Necro. Kaspersky reported that these malicious apps were available on the Google Play Store, collectively achieving 11 million downloads. Notable examples include Wuta Camera, which has over 10 million downloads, and Max Browser, which has over 1 million downloads. Max Browser has been removed from the Play Store, while Wuta Camera has been updated to eliminate the malware. The compromised applications are suspected to have been affected by a rogue software development kit (SDK) used for advertising integration. Necro, first discovered in 2019 within the CamScanner app, employs advanced obfuscation techniques, including steganography, to evade detection. It can display ads, download and execute arbitrary files, and run a tunnel through the victim's device. Necro is primarily distributed through modified versions of popular applications found on unofficial websites. Upon installation, these apps initialize a module called Coral SDK, which communicates with a remote server to extract a malicious payload. The malware's capabilities are enhanced through additional modules downloaded from a command-and-control server. Kaspersky's telemetry data indicates that over ten thousand Necro attacks were thwarted globally between August 26 and September 15, 2024, with Russia, Brazil, and Vietnam being among the most affected regions. The new version of Necro is characterized as a multi-stage loader that uses steganography and modular architecture, allowing for flexible updates and new malicious features.

Winsage

September 5, 2024

Critical remote code execution vulnerability discovered in Microsoft Windows Wi-Fi drivers

A critical remote code execution (RCE) vulnerability, designated as CVE-2024-30078, has been identified in the Wi-Fi drivers of various Microsoft Windows versions, affecting over 1.6 billion active devices globally. This vulnerability is present in Windows 10, Windows 11, and several Windows Server versions, specifically within the Dot11Translate80211ToEthernetNdisPacket() function of the native Wi-Fi driver (nwifi.sys). It has been actively exploited in regions like the United States, China, and parts of Europe, posing risks to industries reliant on Wi-Fi networks and Windows infrastructure. The vulnerability allows attackers to send specially crafted network packets to gain unauthorized access without requiring advanced techniques or user interaction. The root cause is a flaw in the Link Layer Control (LLC) component of the network stack related to packet length management when using Virtual LAN (VLAN), leading to potential out-of-bounds reads and arbitrary code execution. Successful exploitation can result in malware installation, lateral movement within networks, botnet recruitment, and data exfiltration. Microsoft released a security patch in June 2024 to address this vulnerability. Recommended mitigation strategies include timely patch application, implementing WPA3, using strong passwords, network segmentation, deploying intrusion detection and prevention systems, conducting regular security audits, user education on cybersecurity best practices, and adopting a zero-trust security model.

AppWizard

September 2, 2024

Record-Breaking 3.15 Billion Packets Per Second DDOS Attack Towards Minecraft Server

Global Secure Layer (GSL) successfully mitigated a historic Distributed Denial of Service (DDoS) attack on a Minecraft gaming server that peaked at 3.15 billion packets per second (Gpps) on August 25, 2024. The attack had a bitrate of 849 Gbps and was the largest DDoS attack publicly recorded, surpassing previous records by 3.2 to 3.5 times. It was preceded by a smaller attack peaking at 1.7 Gpps, which likely served as reconnaissance for the larger assault. The attack originated from regions including Russia, Vietnam, and Korea, with significant traffic contributions from Korea Telecom and vulnerabilities in MAX-G866ac devices linked to CVE-2023-2231. GSL's mitigation strategies included reconfiguring targeted prefixes within 15 minutes and employing a heuristics anomaly detection engine, resulting in mitigation times of less than 100 milliseconds.

AppWizard

August 29, 2024

The “largest ever” DDOS attack was reportedly the “carpet bombing” of a Minecraft server weathering 3.15 billion packets per second from Russia and 17 other countries

Global Secure Layer reported a DDoS attack on August 25 that reached 3.15 billion packets per second (PPS), targeting a Minecraft gaming customer. The attack originated from a botnet primarily based in Russia, with traffic from 17 other countries. This incident is the largest publicly reported packet rate attack, exceeding previous records by a factor of 3.2 to 3.5 times. The attack occurred in two phases, starting with a preliminary strike on August 24 that peaked at 1.7 Gbps, followed by a full-scale attack the next day. The attack lasted just over an hour, with the highest botnet activity recorded in Russia, Vietnam, and South Korea, which accounted for 42.8% of the total traffic. A total of 42,209 sources were identified in the attack.