Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign

Avatar
A threat actor named Matrix has been linked to a widespread distributed denial-of-service (DoD) campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet. “This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a

A threat actor named Matrix has been linked to a widespread distributed denial-of-service (DoD) campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet.

“This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks,” Assaf Morag, director of threat intelligence at cloud security firm Aqua, said.

There is evidence to suggest that the operation is the work of a lone wolf actor, a script kiddie of Russian origin. The attacks have primarily targeted IP addresses located in China, Japan, and to a lesser extent Argentina, Australia, Brazil, Egypt, India, and the U.S.

The absence of Ukraine in the victimology footprint indicates that the attackers are purely driven by financial motivations, the cloud security firm said.

The attack chains are characterized by the exploitation of known security flaws as well as default or weak credentials to obtain access to a broad spectrum of internet-connected devices such as IP cameras, DVRs, routers, and telecom equipment.

The threat actor has also been observed leveraging misconfigured Telnet, SSH, and Hadoop servers, with a particular focus on targeting IP address ranges associated with cloud service providers (CSPs) like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.

The malicious activity further relies on a wide array of publicly available scripts and tools available on GitHub, ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.

This includes PYbot, pynet, DiscordGo, Homo Network, a JavaScript program that implements an HTTP/HTTPS flood attack, and a tool that can disable the Microsoft Defender Antivirus app on Windows machines.

Matrix has also been found to use a GitHub account of their own that they opened in November 2023 to stage some of the DDoS artifacts used in the campaign.

It’s also believed that the whole offering is advertised as a DDoS-for-hire service via a Telegram bot named “Kraken Autobuy” that allows customers to choose from different tiers in exchange for a cryptocurrency payment to conduct the attacks.

“This campaign, while not highly sophisticated, demonstrates how accessible tools and basic technical knowledge can enable individuals to execute a broad, multi-faceted attack on numerous vulnerabilities and misconfigurations in network-connected devices,” Morag said.

“The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one.”

The disclosure comes as NSFOCUS sheds light on an evasive botnet family dubbed XorBot that has been primarily targeting Intelbras cameras and routers from NETGEAR, TP-Link, and D-Link since November 2023.

“As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services,” the cybersecurity company said, adding the botnet is advertised under the moniker Masjesu.

“At the same time, by adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

British hospital group declares ‘major incident’ following cyberattack

Next Post

INTERPOL Busts African Cybercrime: 1,006 Arrests, 134,089 Malicious Networks Dismantled

Related Posts

390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that
Avatar
Read More

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks. "In some instances, fraudulent workers demanded ransom payments from their former employers after gaining
Avatar
Read More

LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages

A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024. Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a
Avatar
Read More