BitSight, a cybersecurity company, has revealed that a sophisticated botnet called MyloBot has affected thousands of systems across the globe.
Most of the compromised systems are located in India, the United States, Indonesia, and Iran.
BitSight has also found that MyloBot’s infrastructure is linked to a residential proxy service named BHProxies, implying that the compromised machines are being used by the latter.
The botnet was initially observed in 2017 and was first documented in 2018. It is known for its anti-analysis methods and its ability to act as a downloader.
MyloBot has the potential to download any other type of malware that the attacker wants. It also waits for 14 days before attempting to contact the command-and-control (C2) server to avoid detection.
MyloBot receives instructions from C2 and transforms the infected computer into a proxy. The malware has been observed sending extortion emails from hacked endpoints as part of a financially motivated campaign.
MyloBot continues to evolve over time, and BitSight has been sinkholing the botnet since November 2018.
Raspberry Pi is a low-cost, compact computer that is popular among hackers and security professionals. It runs a variety of operating systems and can be used for tasks such as penetration testing, network security, forensic analysis, reverse engineering, automation, and IoT security. It features a quad-core processor, up to 8 GB of RAM, built-in Wi-Fi and Bluetooth, and several USB and Ethernet ports for connecting to other devices.
WiFi Pineapple
The WiFi Pineapple is a versatile device in the world of ethical hacking and penetration testing. It acts as a wireless access point, but with a twist: it can mimic a legitimate one, allowing security professionals and ethical hackers to test the resilience of wireless networks and identify any vulnerabilities. The Pineapple can redirect network traffic, perform man-in-the-middle attacks, and gather valuable information about the target network and its users.
With its ability to impersonate a trusted access point, the WiFi Pineapple is a powerful tool in the arsenal of those committed to improving network security through ethical means.
Flipper Zero
Flipper Zero is a compact and portable device designed for technology enthusiasts and security professionals alike. It offers the ability to interact with digital systems and tackle various tasks, such as exploring radio protocols, accessing control systems, and debugging hardware.
Thanks to its open-source and customizable nature, users can extend its functionality to suit their needs. Flipper Zero has a playful personality, reminiscent of a cyber-dolphin, and its versatility allows it to grow and adapt as it is used.
Whether you’re a seasoned security professional or just starting out, Flipper Zero is the perfect tool for exploring and learning about digital systems. With its ability to interact with RFID and debug hardware using GPIO pins, this tiny piece of hardware has a big impact on the world of technology.
New USB Rubber Ducky
The new USB Rubber Ducky is a versatile tool that emulates human-like keystroke inputs to execute complex and sophisticated attack scenarios. Its ability to run tests based on the target machine’s operating system and execute specific actions on Windows or Mac systems makes it a flexible tool for attackers. Additionally, the support for the DuckyScript 3.0 programming language enables the creation of complex attack scenarios using functions, variables, and logic flow controls. It is important to be aware of its capabilities and take appropriate measures to protect systems from attack.
HakCat WiFi Nugget
The HakCat WiFi Nugget is an open-source tool designed by Hak5 hosts Kody Kinzie and Alex Lynd to make learning about hacking fun and accessible. With its cute cat face and OLED screen, the device is approachable and invites users to get into Wi-Fi hacking. Pre-soldered and pre-flashed nuggets are available for purchase, but users can also build the device themselves using Gerber and BOM files from GitHub. The design is simple and requires a bit of soldering and 3D printing to complete. The firmware can be flashed using ESPTool in Chrome. The HakCat WiFi Nugget is a fun and inviting tool for those interested in learning about wireless security and hacking.
O.MG Cable
The O.MG Cable is designed for use by certified ethical hackers and red team members to emulate attack scenarios and test defense teams. The advanced features, such as keystroke and mouse injection, pre-installed payloads, and full-speed USB hardware keylogger, provide these security professionals with the tools they need to conduct thorough testing and training. With its various port options and advanced capabilities, the O.MG Cable is a valuable tool for certified ethical hackers and red team members to enhance their testing and training processes.
HackRF One
HackRF One is a Software Defined Radio (SDR) that allows users to receive, transmit, and manipulate radio signals. It operates in the frequency range of 1 MHz to 6 GHz, making it one of the most versatile SDRs on the market. The device was developed by Michael Ossmann and is manufactured by Great Scott Gadgets, a company based in Colorado, USA.
The HackRF One is a versatile and powerful tool for a wide range of applications. Its compact design, open-source hardware, and high sample rate make it a valuable tool for researchers, engineers, and hobbyists. However, its limited frequency range
Ubertooth one
The Ubertooth One is a powerful and versatile open source development platform for anyone interested in Bluetooth experimentation and hacking. It is based on the LPC175x ARM Cortex-M3 microcontroller with full-speed USB 2.0, providing a wide range of capabilities, including monitoring, scanning and packet sniffing of Bluetooth signals. The Ubertooth One can also be used to discover and pair devices, as well as reverse engineer wireless protocols. This makes it a great tool for penetration testers, security researchers, and hobbyists who want to explore and understand the inner workings of Bluetooth communications. The Ubertooth One is an invaluable tool for anyone interested in learning more about wireless technology and Bluetooth security.
ChameleonMini
Chame leonMini is an RFID emulation device created by ProxGrind that is capable of simulating multiple types of RFID tag formats. It is a powerful and portable NFC emulation and manipulation tool which can be used for practical NFC and RFID security analysis, compliance and penetration tests, as well as for reverse engineering and other tasks. ChameleonMini is able to emulate a wide range of common contactless cards, including ISO 14443A/B, ISO 15693, MIFARE Classic, and MIFARE DESFire.
Hardware Keylogger
A hardware keylogger is a device used to record keystrokes. It is attached to the computer, either internally or externally, and it starts its applications when it is powered on. The hardware keylogger records all of the keystrokes and stores them on a memory chip. Typically, hardware keyloggers are used by hackers to gain access to sensitive information, such as usernames, passwords, and financial information. Hardware keyloggers can also be used by employers to monitor employees’ computer usage, or by parents to monitor their children’s online activities.
Suricata is a highly efficient, open-source, and multi-platform network security engine that incorporates advanced Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) technologies. Developed and maintained by the Open Information Security Foundation (OISF) community since 2009, Suricata offers a comprehensive solution for detecting and preventing network security threats.
As we already explained in this article, an IDS is a passive system that is responsible for monitoring the behavior of a network to detect and report on possible unauthorized intrusions, while an IPS is an active system that works as an extension of the IDS and that , in addition to sending alerts on detections, it can also block malicious activity within the network – such as brute force attacks, DDoS, or attacks that seek to exploit vulnerabilities – and create a log with the intrusion. All this from the traffic, the file signatures, and the heuristic analysis of the flow. Additionally, IPS allows adding policies and restricting access to users and / or even applications.
That said, the most common uses for Suricata are related to scanning network traffic and analyzing traffic logs within a sandbox or sandbox environment (such as running malware). However, we can also use this tool for creating rules in order to classify malware.
Testing Meerkat
Next, we are going to see a simple example of how to use Suricata for malware classification.
Suppose we have a machine destined to perform dynamic analysis of malware samples, we could add different Suricata rules to be able to classify the type of malware that is running according to the traffic.
In this case, while a sample of the Trickbot banking Trojan is running on the network , a .pcap file is generated with information on the behavior of the traffic.
Through the network flow generated by the malware and knowing its behavior, we could create some rules in Suricata in the /etc/suricata/
rules folder :
Before proceeding with the generation of the rule to detect Trickbot, we will see a short description of the basic fields to generate rules in Suricata:
Action
Header
Rule Options
Action: corresponds to the action (drop, alert, etc.) that Suricata will perform when the rule is identified in the network flow.
Header: this section corresponds to the specific network flow to be analyzed. From origin to destination. With the word “any” we can tell Meerkat that all ports will be analyzed.
Rule: rule to implement to detect malware in our case. Within this field there are keywords that help us create our rule:
Msg: alert message that Suricata will issue.
flow: network flow.
Content: contains the character string to be searched within the traffic.
Reference: contains references, in this case we put a verification MD5 hash of a Trickbot sample.
Sid: ID of the identified rule.
Rev: version of the rule.
Classtype: provides information on the classification of rules and alerts.
Taking as an example the rule for Trickbot malware, let’s proceed to add the Suricata rule in the / etc / suricata / rules directory for its detection: We save our rule for Trickbot taken from the aforementioned repository
The eve.json file is the file that interests us the most at the moment, since it is the output file that provides information about alerts, anomalies, metadata, and even information about specific files and logs:
If we search for the name of the message “ Trickbot “ with the command:
grep “Trickbot” eve.json
We will see that our rule was able to detect the malicious file as Trickbot.
To close this proof of concept it is important to mention that Suricata is a very useful tool to perform Threat Hunting . It is capable of identifying network protocols (TPC, UDP, HTTP, ICMP, etc.) enabling real-time control of the traffic generated on our network and controlling the presence of possible malicious codes. The latter can be done through MD5 checks, as we saw in the Trickbot rule.
On the other hand, we also recommend reviewing the Suricata Open Source repository of Emerging Threats rules , where you can find rules that detect new threats.
Suricata is an open-source network intrusion detection and prevention system (IDS/IPS) that can be used to detect and prevent cyber attacks on a computer network. It uses a variety of techniques, including signature-based detection and protocol analysis, to identify and block malicious traffic.
Installing Suricata on a Linux operating system is a multi-step process that involves the following steps:
Table of contents
1. Verify that your Linux system meets the minimum requirements for running Suricata. This includes checking that you have a supported version of Linux and that you have the necessary dependencies installed.
A supported version of Linux: Suricata is compatible with various Linux distributions such as Ubuntu, Debian, Fedora, and CentOS. You can check your Linux version by running the command.
GCC compiler: Suricata requires a C compiler to build the source code. You can check if GCC is installed on your system by running the command
"gcc --version"
Libpcap library: Suricata uses the libpcap library to capture network traffic. You can check if libpcap is installed on your system by running the command
"ldconfig -p | grep libpcap"
libyaml library: Suricata uses the libyaml library for parsing YAML files. You can check if libyaml is installed on your system by running the command
"ldconfig -p | grep libyaml"
libjansson library: Suricata uses the libjansson library for JSON data handling. You can check if libjansson is installed on your system by running the command
"ldconfig -p | grep libjansson"
libmagic library: Suricata uses the libmagic library to detect file types. You can check if libmagic is installed on your system by running the command
"ldconfig -p | grep libmagic"
Please note that these commands are for checking the dependencies in Ubuntu and Debian based distributions. In other distributions, the package manager commands may be different, for example, in Red Hat-based systems, you should use yum instead of apt-get.
8. Configure Suricata by editing the configuration file located at /etc/suricata/suricata.yaml.
9. Start Suricata by running the command
(assuming that the interface you want to listen on is eth0)
"suricata -c /etc/suricata/suricata.yaml -i eth0"
10. Verify that Suricata is running correctly by checking the output of the command
sudo suricata -i eth0 --list-runmode-helpers
It’s always recommended to check the official documentation of Suricata for the specific version that you are installing and to be aware of the dependencies that your system needs to have installed before proceeding with the installation. It’s always recommended to consult the official documentation of Suricata for the specific version that you are installing and to be aware of the dependencies that your system needs to have installed.