Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Yart7
active

First seen in Guardicore Centra2020-09-02
Last seen in Guardicore Centra2020-09-22

Yart7 is a DDoS campaign targeting SSH servers. The botnet spreads by brute-forcing SSH servers. After a successful login, the attacker connects to the C&C server and downloads a malicious payload named 7rtya, one which suits the victim machines’s architecture.Once the malware is executed, the compromised machine starts sending DDoS packets to tens of thousands of IP addresses over the Telnet protocol (TCP port 23).Since the beginning of this campaign in early September 2020, only three source IPs have been seen, two of which are based in Austria.We named the campaign Yart7, which is an anagram of the malware filename.

 

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Attack Flow

Breached Services

SSH

Tags

Download and Allow Execution

HTTP

Successful SSH Login

1 Shell Commands

Download Operation

Listening

Download File

Outgoing Connection

SSH Brute Force

Download and Execute

SSH

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List (Part of a Brute Force Attempt)Successful SSH Login

SSH Brute Force

A possibly malicious Download Operation was detected 2 timesDownload Operation
Process /bin/bash generated outgoing network traffic to: 45.145.185.94:80Outgoing Connection
/tmp/uDvrLib.sh was downloadedDownload File
Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80Outgoing Connection
The file /tmp/7rtya.x86 was downloaded and granted execution privileges
The file /tmp/95bS was downloaded and granted execution privileges 2 times
The file /tmp/95bS was downloaded and executed 4 timesDownload and Execute
Process /tmp/95bS started listening on ports: 38273Listening
Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80Outgoing Connection
The file /tmp/7rtya.mips was downloaded and granted execution privilegesDownload and Allow Execution
Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80 2 timesOutgoing Connection
The file /tmp/7rtya.mips64 was downloaded and granted execution privilegesDownload and Allow Execution
The file /tmp/7rtya.mpsl was downloaded and granted execution privilegesDownload and Allow Execution
Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80Outgoing Connection
The file /tmp/7rtya.arm was downloaded and granted execution privilegesDownload and Allow Execution
Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80 2 timesOutgoing Connection
The file /tmp/7rtya.arm5 was downloaded and granted execution privilegesDownload and Allow Execution
The file /tmp/7rtya.arm6 was downloaded and granted execution privilegesDownload and Allow Execution
The file /tmp/95bS was downloaded and granted execution privileges
Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80 4 timesOutgoing Connection
The file /tmp/7rtya.arm7 was downloaded and granted execution privileges
The file /tmp/7rtya.ppc was downloaded and granted execution privileges
/tmp/7rtya.m68k was downloadedDownload File
The file /tmp/95bS was downloaded and granted execution privilegesDownload and Allow Execution
Process /usr/local/bin/dash generated outgoing network traffic to: 45.145.185.94:80Outgoing Connection
/tmp/7rtya.sh4 was downloadedDownload File
The file /tmp/7rtya.spc was downloaded and granted execution privilegesDownload and Allow Execution
Process /usr/bin/wget generated outgoing network traffic to: 45.145.185.94:80Outgoing Connection
The file /tmp/7rtya.arc was downloaded and granted execution privileges
Connection was closed due to timeout