UwUsh
recently active

Uwush (or “Stokers”) is a Mirai-like botnet. The initial breach is done over SSH, then a bash script named “UwUsh” is downloaded and executed. The script downloads UPX-packed malware named “Stokers” built for different architectures and executes them all – hoping that one will successfully catch. The malware has various capabilities, the most prominent of which is – how not – DDoS over UDP, HTTP and TCP’s different packet types. The bot supports the two commands “KILLDROPPERS” and “KILLBINS” to eliminate competitors (or perhaps older versions of the malware). The malware names seen in Stokers’ strings are Ayedz, DEMONS, Execution, Fierce, Josho, Okami, Owari, Tsunami, apep, chiemi, fortnite, gemini, hoho, kowa, kratos, miori, mips.yakuza, mirai, miraint, shiro, sora, yakuza, and z3hir. Each one in the list has builds for various architectures, as typical for Mirai-like botnets. At the time of writing, all incidents downloaded the Uwush script from a machine with the prefix 89.42.133.0/24.