A botnet has been cannibalizing other hackers’ web shells for more than a year



A major botnet operation has been attacking and taking over the web shells (backdoors on web servers) of other malware operations for more than a year, security researchers from Positive Technologies revealed today.

Researchers linked the botnet to a former Windows trojan named Neutrino (also known as Kasidet), whose operators appear to have shifted from targeting desktop users to online servers, on which they install a cryptocurrency-mining malware.

Positive Technologies said this new phase of the Neutrino gang’s operation started in early 2018, when the group assembled a multi-functional botnet that scanned random IP addresses on the internet, searching for particular web apps and servers to infect.

To breach other servers, the Neutrino botnet used various techniques, such as using exploits for old and new vulnerabilities, searching phpMyAdmin servers that were left without a password, but also brute-forcing their way into root accounts for phpMyAdmin, Tomcat, and MS-SQL systems.

There’s nothing particularly new or interesting in this modus operandi, as by this point, this is how most botnets operate nowadays.

Neutrino brute-forces competitors’ web shells

However, security researchers say they’ve also spotted Neutrino doing odd things, not seen in many other botnets. For example, Neutrino searches for Ethereum nodes that were left running with default passwords, connects to these systems, and steals any locally stored funds.

But the thing that set Neutrino apart from most other cryptomining botnets that are active today was its focus on hijacking web shells.

Web shells are web-accessible backdoor scripts that hackers plant on servers they manage to compromise.

Web shells have a web-based interface to which hackers can connect to and issue commands via their browser, or a programmatic interface to which they send automated instructions.

According to Positive Technologies, Neutrino has been searching the web for 159 different types of PHP web shells and two JSP (Java Server Pages) ones.

The botnet compiles a list of web shells, and then launches brute-force attacks in an attempt too guess the web shells’ login credentials and take over the shells — and the underlying web servers.

Botnet operators are often in competition with one another, but most of the time they infect devices and use an antivirus-like system to keep competitors at bay and from infecting the same device.

It’s quite rare when you see one botnet cannibalizing another malware botnet’s infected hosts.

A very noisy botnet

As for Neutrino’s success, Positive Technologies said the botnet has been one of the top three senders of queries to their honeypots.

Based on the company’s investigation, the botnet has been quite successful in infecting Windows servers running phpStudy, an integrated learning environment popular primarily popular among Chinese developers.

However, other types of servers were also compromised, such as those running phpMyAdmin apps.

“To protect servers from Neutrino infection, we recommend that administrators check the password for the root account in phpMyAdmin,” said Kirill Shipulin, security researcher at Positive Technologies. “Make sure to patch services and install the latest updates. Remember, Neutrino is regularly updated with new exploits.”

Technical details about Neutrino’s modus operandi are available in Positive Technologies’ report.