Friday, November 1, 2024
HomeCyber Security NewsMultistage Attack Delivers BillGates/Setag Backdoor to Turn Elasticsearch Servers into DDoS Botnet

Multistage Attack Delivers BillGates/Setag Backdoor to Turn Elasticsearch Servers into DDoS Botnet

Published on

Malware protection

A new multistage attack exploiting Elasticsearch servers using the old unpatched vulnerability to invoke a shell with a crafted query and encoded Java commands. The attack aims to deliver BillGates/Setag Backdoor against vulnerable Elasticsearch servers.

The attack targets the already patched vulnerability in the Groovy scripting engine (versions 1.3.0 – 1.3.7 and 1.4.0 – 1.4.2) and the vulnerability can be tracked as CVE-2015-1427 it allows attackers to evade sandbox and to execute arbitrary shell commands via a crafted script.

Security researchers from TrendMicro identified the attack, “the threat actors behind this attack used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites could mean they are just testing their hacking tools or readying their infrastructure before mounting actual attacks.”

- Advertisement - SIEM as a Service

Infection ChainElasticsearch Servers

The attack starts by searching for a publicly accessible Elasticsearch databases/servers and the attack includes two stages. Once a publicly accessible server is found it “invoke a shell with an attacker-crafted search query with encoded Java commands”.

If the server is vulnerable then the query will get execute successfully and downloads the first-stage script that attempts to stop the firewall running and downloads the second-stage of the payload using curl or wget command.

The second stage of a script similar to the first one attempts to stop firewall and also certain script files that associated with cryptocurrency miners, various config files and other unwanted processes to run its operation.

Also, it removes initial stages of infection, the payloads are likely to be downloaded from the compromised websites to avoid detection.

“A closer look into the binaries revealed a backdoor variant that steals system information and can launch DDoS attacks. The samples bear the hallmarks of the BillGates malware.”

The malware was first spotted in the year 2014 and it is used to launch DDoS attacks, the toolkit includes ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7) and DNS query-of-reflection flood.

Based on TrendMicro report, “this malware also replaces the affected system’s systools (which enables viewing of system or device information) with a copy of itself, and transfers them to the /usr/bin/dpkgd directory.”

Indicators of Compromise (IoCs):

8ebd963f86ba62f45b936f6d6687ccb1e349a0f8a6cc19286457895c885695c8 (.pprt)
cfe3dccf9ba5a17e410e8e7cf8d0ff5c1b8688f99881b53933006250b6421468 (.ppol)

Related domains/URLs:

hxxps://crazydavesslots[.]com/[.]ppol
hxxp://aduidc[.]xyz

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...