Threat Research

Matrix Unleashes A New Widespread DDoS Campaign

Aquasec
Summary:
Aqua Nautilus researchers have identified a significant Distributed Denial-of-Service (DDoS) campaign led by a threat actor known as Matrix, utilizing accessible tools and exploiting vulnerabilities in IoT and enterprise systems. The operation reveals a concerning trend where even individuals with minimal technical knowledge can execute large-scale cyberattacks. The findings emphasize the need for improved security practices to counteract these evolving threats.
#DDoSCampaign #MatrixThreatActor #IoTSecurity
Keypoints:

  • Matrix orchestrates a widespread DDoS campaign targeting vulnerabilities in IoT and enterprise systems.
  • The campaign showcases how accessible tools can enable large-scale cyberattacks.
  • Initial access is gained through brute-force attacks and exploitation of weak credentials.
  • Matrix’s operations indicate a shift towards targeting both development and production servers.
  • The threat actor appears to be financially motivated rather than politically driven.
  • Vulnerabilities in IoT devices remain a primary focus for DDoS botnets.
  • The campaign utilizes a variety of public scripts and tools, emphasizing the threat posed by script kiddies.
  • Matrix has developed a Telegram bot for selling DDoS services, indicating a business-driven approach.
    • MITRE Techniques:

  • Initial Access
  • Exploit Public-Facing Application (T1190): Exploits vulnerabilities in IoT devices, routers, and servers.
  • Valid Accounts (T1078): Uses brute-force attacks with precompiled username-password pairs.
  • Execution
  • Command and Scripting Interpreter – Python (T1059.006): Deploys Python scripts and Discord bots for command execution.
  • Persistence
  • Create or Modify System Process (T1543): Modifies processes on IoT devices for long-term control.
  • Implant Software (T1403): Installs botnet clients like Mirai and PYbot.
  • Defense Evasion
  • Disable or Modify Tools (T1211): Disables antivirus solutions like Windows Defender.
  • Masquerading (T1036): Uses legitimate-looking scripts to blend malicious activities.
  • Credentials Access
  • Brute Force (T1110): Executes brute-force attacks using curated dictionaries.
  • Discovery
  • Network Service Scanning (T1046): Identifies misconfigured or vulnerable devices.
  • Network Share Discovery (T1135): Identifies accessible shares for lateral movement.
  • Lateral Movement
  • Exploitation of Remote Services (T1210): Targets remote services like SSH and Telnet.
  • Remote Service Session Hijacking (T1550.002): Iterates over SSH keys for lateral movement.
  • Collection
  • Data from Local System (T1005): Collects sensitive data from compromised systems.
  • Command & Control
  • Web Service (T1102): Uses platforms like Telegram for botnet communication.
  • Encrypted Channel (T1041): Establishes secure communication using Discord bots.
  • Impact
  • Resource Hijacking (T1496): Conducts cryptomining operations.
  • Service Exhaustion Flood (T1499): Executes Layer 4 and Layer 7 DDoS attacks.
    • IoC:

  • [IP Address] 199[.232][.46][.132]
  • [IP Address] 5[.42][.78][.100]
  • [IP Address] 78[.138][.130][.114]
  • [IP Address] 85[.192][.37][.173]
  • [IP Address] 5[.181][.159][.78]
  • [IP Address] 217[.18][.63][.132]
  • [Domain] sponsored-ate.gl.at.ply.gg
  • [File Hash] MD5: df521f97af1591efff0be31a7fe8b925 (Mirai malware)
  • [File Hash] MD5: 9c9ea0b83a17a5f87a8fe3c1536aab2f (RiskWare/Win32.Kryptik.a)
  • [File Hash] MD5: 0e3a1683369ab94dc7d9c02adbed9d89 (Discord DDoS Botnet)
  • [File Hash] MD5: c7d7e861826a4fa7db2b92b27c36e5e2 (hacktool.sshscan/virtool)
  • [File Hash] MD5: 53721f2db3eb5d84ecd0e5755533793a (trojan.siggen/casdet)
  • [File Hash] MD5: d653fa6f1050ac276d8ded0919c25a6f (trojan.gafgyt/mirai)
  • [File Hash] MD5: 76975e8eb775332ce6d6ca9ef30de3de (trojan.ddosagent/ddos)

    • Full Research: https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign

    Tags: IOT, DEFENSE EVASION, BOTNET, COLLECTION, full, PERSISTENCE, TROJAN, INITIAL ACCESS