Censys discovered a network of botnet management systems utilizing a modified version of the Nosviak command-and-control service. This network connects over 150 hosts across multiple countries and operates under various aliases, primarily offering DDoS and proxy services marketed as “stress testing.” Evidence suggests a significant infrastructure that leverages shared resources for malicious activities. Affected: botnet networks, DDoS services, cybersecurity sector
Keypoints :
- Censys identified a botnet management system using modified Nosviak software.
- The network consists of over 150 interconnected hosts across twenty countries.
- Services are marketed as “stress testing” but provide DDoS and proxy services.
- Stores and platforms share similar HTML templates with unique branding.
- Operators communicate via Discord and Telegram to support users and share attack proofs.
- Operational infrastructure is primarily hosted on OVH and Aeza, targeting likely weaker enforcement areas.
- SSH keys and server banners reveal connections between hosts, making them traceable.
- Various domain names associated with the network were identified.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Utilization of custom APIs for service operations.
- T1078.001 – Valid Accounts: Compromised accounts used for managing services on the botnet.
- T1090 – Connection Proxy: The botnet uses proxy services to mask its activities.
- T1132 – Data Encoding: Custom branding and communication protocols imply potential data obfuscation.
- T1098 – Account Manipulation: Direct interactions through Discord and Telegram for customer engagement.
Indicator of Compromise :
- [Domain] nordnetface[.]sbs
- [Domain] rotate-c2[.]fr
- [Domain] amely.com
- [Domain] freshman[.]xyz
- [IP Address] 185.17.0.31
Full Story: https://censys.com/pivoting-for-nosviak/