Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

B3astMode
active

First seen in Guardicore Centra2020-08-06
Last seen in Guardicore Centra2020-08-11
B3astMode is a Mirai-based DDoS botnet targeting SSH servers, Huawei HG532 routers and IoT devices. In this campaign, the attacker attempts to hack into SSH servers using brute-force. In case of success, the attacker connects to the C&C server and downloads a malicious payload named B3astMode, according to the victim’s architecture.
In order to expand the attack’s botnet network, the malware attempts to exploit 2 Remote Code Execution (RCE) vulnerabilities:

By breaching these devices, the attacker amplifies the volume of the performed TCP and UDP flood attacks. At the time of writing, there were nearly 200k devices that are potential victims of this attack.

 

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Attack Flow

Breached Services

SSH

Tags

HTTP

SSH

Outgoing Connection

Access Suspicious Domain

Successful SSH Login

Download Operation

Download File

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White ListSuccessful SSH Login
A possibly malicious Download Operation was detectedDownload Operation
Process /usr/bin/wget generated outgoing network traffic to: 45.95.168.201:80Outgoing Connection
Process /usr/bin/wget attempted to access suspicious domains: trophygaming.netOutgoing Connection

Access Suspicious Domain

/root/b3astmode.x86 was downloadedDownload File
Connection was closed due to timeout