A botnet has been cannibalizing other hackers’ web shells for more than a year

A major botnet operation has been attacking and taking over the web shells (backdoors on web servers) of other malware operations for more than a year, security researchers from Positive Technologies revealed today.

Researchers linked the botnet to a former Windows trojan named Neutrino (also known as Kasidet), whose operators appear to have shifted from targeting desktop users to online servers, on which they install a cryptocurrency-mining malware.

Positive Technologies said this new phase of the Neutrino gang’s operation started in early 2018, when the group assembled a multi-functional botnet that scanned random IP addresses on the internet, searching for particular web apps and servers to infect.

To breach other servers, the Neutrino botnet used various techniques, such as using exploits for old and new vulnerabilities, searching phpMyAdmin servers that were left without a password, but also brute-forcing their way into root accounts for phpMyAdmin, Tomcat, and MS-SQL systems.

Read more…
Source: ZDNet