Most active botnets in Kazakhstan

The details are here: http://www.kz-cert.kz/page/596

Today the attackers use various attack methods that allow them obtaining information by bypass of corporate or national network. With use of numerous botnets the attackers perpetrate:

  • unsolicited mail distribution;
  • phishing;
  • cyber extortion
  • theft of private data;

Botnet is a network of computers infected by malware that allow the attackers remote control of victims’ computers without their knowledge or consent. At that the tasks that botnets able to solve strongly varies: from the classical and quite innocuous collection of email accounts with subsequent spam distribution to the theft of information about bank accounts and commercial espionage.

In Kazakhstan lately the botnets have been used to execute DDoS attacks targeting large internet-resources. The most popular 4 botnets that attack the Kazakhstan internet resources and their brief description are given below:

  • H-worm
  • AAEH
  • Andromeda
  • njRAT

Andromeda botnet

Andromeda botnet, taking fourth position within our rating, is notorious as Win32/ Camarue. It is frequently used to distribute malware with different options depending on the command sent by the command and control (C&C) server. It is developed in Microsoft .NET platform.

The system infected by Andromeda botnet, might be used to distribute malware and download and execute within victim’s computer various files with the update and delete features if necessary.

njRAT botnet

njRAT botnet, taking third position in our rating, is notorious as Bladabindi. It is a tool of remote access. It is developed by use of .NET platform that provide full control over the infected system and represent various features for remote control to attackers управления. njRAT uses dynamic DNS for servers control and for exchange of data by using customizable TCP protocol via adjustable port.

NjRAT allowas the attacker to perpetrate remotely following activities within infected system:

  • file system change.
  • Download and deletion of files.
  • Access to web-cameras.
  • Access to microphone.
  • Obtaining user credentials for some applications.

AAEH botnet

ААЕH botnet is notorious as: W32/ Worm-AAEH, VObfus, VBObfus and Beebone. It is frequently propagates through networks, by use of removable disks (USB / CD / DVD) and ZIP and RAR archives. This botnet eases the download of other malware including software for password theft Zbot, Necurs and ZeroAccess.

The system infected by AAEH botnet might be used for distribution of malware, collection of users’ credentials for online services including Bank services and use of ransomware, that encrypts victim’s data, for succeeding extortion of money for data recovery. AAEH able to bypass antivirus solutions by locking the connections with IP-addresses used by Internet security companies, and by avoiding the launch of antivirus tools within infected machines.

H-worm botnet

And, finally, the first place takes H-worm, implemented by use of Visual Basic script, that dropped by NjRAT’s initial source code. H-Worm provides the attackers the similar control engine as NjRAT. However, H- worm uses dynamic DNS for their C&C servers, and, unlike njRAT, uses POST – requests and User–Agent HTTP field to infiltrate private information from the infected machine.