MMD-0047-2015 - SSHV: SSH bruter ELF botnet malware w/hidden process kernel...
BackgroundApparently Linux ELF malware is becoming an interesting attraction from several actors from People Republic of China(in short: PRC). This post is one good example about it. It explains also...
View ArticleMMD-0048-2016 - DDOS.TF = (new) ELF & Win32 DDoS service and ASP +...
BackgroundLinux exploitation by bad actors from People Republic of China (in short: PRC) is not a new matter. Their attacks are coming everyday and their method is also improving by days. This post is...
View ArticleMMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack
BackgroundThis is a short post for supporting the takedown purpose. Warning: Sorry, this time there's nothing fancy nor "in-depth analysis" :-) Yet the current hacking & infecting scheme is so bad,...
View ArticleMMD-0050-2016 - Incident report: ELF Linux/Torte infection (in Wordpress)
The indicator Several hours ago, it was detected a suspicious inbound access on a Wordpress site with the below log:(Thank's for the hard work from Y) It's an unusual traffic coming from the unusual...
View ArticleMMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock...
The backgroundIn September 2014 during the ShellShock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via ShellShock attack, with the details can be read...
View ArticleMMD-0052-2016 - SkidDDOS ELF infection Jan-Feb 2016
BackgroundThese are the statistic comprehensional data for the infection of the ELF malware DDOS-er which its source codes we snagged and reported in previous MalwareMustDie blog post [MMD-0044-2015]....
View ArticleMMD-0053-2016 - A bit about ELF/STD IRC Bot: x00's CBack aka xxx.pokemon(.)inc
Latest UPDATE incident of this threat is-->[link]BackgroundI received the report of the host in Google cloud network is serving ELF malware:{"ip": "130.211.127.186","hostname":...
View Article[Slide] The Kelihos & Severa; the "All Out" version
Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, SaeverWarning: It's a...
View ArticleMMD-0054-2016 - ATMOS botnet facts you should know
The backgroundThis post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named "Atmos", for the purpose of threat recognizing, incident...
View ArticleMMD-0055-2016 - Linux/PnScan ; ELF worm that still circles around
BackgroundJust checked around internet and found an interesting ELF worm distribution that may help raising awareness for fellow sysadmins. As per shown in title, it's a known ELF malware threat, could...
View ArticleMMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled..
BackgroundFrom August 4th 2016 several sysadmin friends were helping us by uploading this malware files to our dropbox. The samples of this particular ELF malware ware not easy to retrieve, there are...
View ArticleMMD-0057-2016 - New ELF botnet: Linux/LuaBot
BackgroundOn Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn't any detail or comment what so ever just one cute little ARM ELF stripped binary...
View ArticleMMD-0058-2016 - ELF Linux/NyaDrop - a linux MIPS IoT bad news
Background Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the...
View ArticleMMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6...
It's a Kaiten/Tsunami? No.. STD?? No! It's a GayFgt/Torlus/Qbot? No!! Is it Mirai?? NO!!It's a Linux/IRCTelnet (new Aidra)! ..a new coded IoT DDoS botnet's Linux malware..SummaryThis post is a report...
View ArticleMMD-0060-2016 - Linux/UDPfker and ChinaZ threat today
BackgroundChinaZ is the PRC (Public Rep of China) actor's made Linux ELF DDoS malware and its service. This threat has been covered several times in this blog post, several takedown efforts also had...
View ArticleMMD-0061-2016 - EnergyMech 2.8 overkill mod
This is a new threat analysis report I wrote in MalwareMustDie blog (this) after we moved out from blogger, I hope you like the new blog system and design, and enjoy the post! An unattended or...
View ArticleMMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via...
Sticky note: We call this threat as "Strudels Attack" 1. Background In this post there is no malicious software/malware analyzed, but this is one of the impact of the malware infecting IoT devices...
View ArticleMMD-0063-2019 - Summarized report of three years MalwareMustDie research...
Hello, it's unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time. The background It was after September 2016...
View ArticleMMD-0064-2019 - Linux/AirDropBot
Prologue There are a lot of botnet aiming multiple architecture of Linux basis internet of thing, and this story is just one of them, but I haven't seen the one coded like this before. Like the most...
View ArticleMore About My 2019.HACK.LU Keynote Talk
As promised, this is my additional notes and review about my Keynote talk in 2019.HACK.LU (link) About 2019.HACK.LU HACK.LU is a great conference, thank you for having me this year, I could interact...
View ArticleMMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained
Prologue I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it was soon pwned by malware and I had to reset it to the factory...
View ArticleMMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat
Prologue A month ago I wrote about IoT malware for Linux operating system, a Mirai botnet's client variant dubbed as FBOT. The writing [link] was about reverse engineering Linux ELF ARM 32bit to...
View ArticleMMD-067-2021 - Recent talks on Linux process injection and shellcode analysis...
The background of these research and talks After HACK.LU-2019's talk in 2019 [link], I was asked a lot of questions about Linux process injection that can trigger code execution and yes, one of...
View ArticleMMD-068-2024 - "FHAPPI Campaign" (APT10) FreeHosting APT PowerSploit Poison Ivy
I am @unixfreaxjp of MalwareMustDie team. This is the English translation of APT overall analysis I made in Japanese at my Japan security blog: "#OCJP-136: 「FHAPPI」 Geocities.jpとPoison...
View ArticleMMD-0069-2024 - An old ELF Ransomware pivoted crypto (OpenSSL to PolarSSL)...
This malware analysis was originally posted in 2015 on my-soon-to-be-closed Japanese blog and to avoid the research information disappearing I re-posted it as an English translation over here. During...
View Article