Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

UwUsh
recently active

First seen in Guardicore Centra

2019-12-20

Last seen in Guardicore Centra

2020-07-12

Uwush (or “Stokers”) is a Mirai-like botnet. The initial breach is done over SSH, then a bash script named “UwUsh” is downloaded and executed. The script downloads UPX-packed malware named “Stokers” built for different architectures and executes them all – hoping that one will successfully catch. The malware has various capabilities, the most prominent of which is – how not – DDoS over UDP, HTTP and TCP’s different packet types. The bot supports the two commands “KILLDROPPERS” and “KILLBINS” to eliminate competitors (or perhaps older versions of the malware). The malware names seen in Stokers’ strings are Ayedz, DEMONS, Execution, Fierce, Josho, Okami, Owari, Tsunami, apep, chiemi, fortnite, gemini, hoho, kowa, kratos, miori, mips.yakuza, mirai, miraint, shiro, sora, yakuza, and z3hir. Each one in the list has builds for various architectures, as typical for Mirai-like botnets. At the time of writing, all incidents downloaded the Uwush script from a machine with the prefix 89.42.133.0/24.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Attack Flow

Breached Services

SSH

Tags

1 Shell Commands

SSH

Download File

Successful SSH Login

Download Operation

HTTP

Download and Execute

Outgoing Connection

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation

Process /bin/bash generated outgoing network traffic to: 157.245.123.134:80 4 times

Outgoing Connection

The file /tmp/UwUsh was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 157.245.123.134:80 2 times

Outgoing Connection

The file /tmp/UwUStokersUwU was downloaded and granted execution privileges

The file /tmp/UwUStokersUwU was downloaded and granted execution privileges

The file /tmp/UwUStokersUwU was downloaded and executed

Download and Execute

Connection was closed due to user inactivity