{"id":15210,"date":"2019-04-29T10:10:03","date_gmt":"2019-04-29T18:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/29\/news-8959\/"},"modified":"2019-04-29T10:10:03","modified_gmt":"2019-04-29T18:10:03","slug":"news-8959","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/29\/news-8959\/","title":{"rendered":"Electrum DDoS botnet reaches 152,000 infected hosts"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Mon, 29 Apr 2019 17:00:00 +0000<\/strong><\/p>\n

By J\u00e9r\u00f4me Segura, Adam Thomas, and S!Ri<\/em><\/p>\n

We have been closely monitoring the situation involving the continued attacks against users of the popular Electrum Bitcoin wallet. Initially, victims were being tricked to download a fraudulent update that stole their cryptocurrencies. Later on, the threat actors launched a series of Distributed Denial of Service<\/a> (DDoS) attacks in response to Electrum developers trying to protect their users.<\/p>\n

Since our last blog<\/a>, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing. Case in point, on April 24, the number of infected machines in the botnet was just below 100,000<\/a> and the next day it reached its highest at 152,000<\/a>, according to this online tracker<\/a>. Since then, it has gone up and down and plateaued at around the 100,000 mark.<\/p>\n

New loader identified <\/h3>\n

We have been able to correlate two distribution campaigns (RIG exploit kit and Smoke Loader) that are fueling this botnet by dropping malware we detect as ElectrumDoSMiner<\/a>. Now, we have just identified a previously undocumented loader we call Trojan.BeamWinHTTP<\/a> that is also involved in downloading ElectrumDoSMiner (transactionservices.exe<\/em>).<\/p>\n

\n
\"\"<\/a>
New Trojan.BeamWinHTTP connected to ElectrumDoSMiner<\/figcaption><\/figure>\n<\/div>\n

As can be seen in the VirusTotal graphs above and below, there are hundreds of malicious binaries that retrieve the ElectrumDoSMiner. We surmise there are probably many more infection vectors beyond the three we’ve uncovered so far.<\/p>\n

\n
\"\"<\/a>
The main infrastructure hosting ElectrumDoSMiner binaries and configuration files<\/figcaption><\/figure>\n<\/div>\n

Botnet geographic distribution<\/h3>\n

By analyzing the IP addresses and mapping them to a country, we are able to have a better idea of where the bots are located. We find the largest concentration in the Asia Pacific region (APAC). For the Americas, most bots are located in Brazil and Peru.<\/p>\n

\n
\"\"<\/a>
World map showing presence of bots part of the Electrum DDoS botnet<\/figcaption><\/figure>\n<\/div>\n

The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes<\/a> detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.<\/p>\n

\n
\"\"<\/a>
Number of ElectrumDoSMiner infected machines cleaned by Malwarebytes<\/figcaption><\/figure>\n<\/div>\n

An underreported and yet massively fraudulent scheme<\/h3>\n

Crooks wasted no time in exploiting a vulnerability in Electrum wallets to phish unsuspecting users. What followed next with retribution attacks on Electrum servers was unexpected but logical, considering what is at stake.<\/p>\n

While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months.<\/p>\n

Indicators of Compromise<\/h3>\n

ElectrumDoSMiner infrastructure<\/p>\n

178.159.37.113  
194.63.143.226  
217.147.169.179
188.214.135.174<\/pre>\n
Trojan.BeamWinHTTP<\/p>\n
48dcb183ff97a05fd3e466f76f385543480abb62c9adcae24d1bdbbfc26f9e5a<\/pre>\n
Hashes for the binaries tied to the ElectrumDoSMiner infrastructure can be downloaded here<\/a>.<\/p>\n
The post Electrum DDoS botnet reaches 152,000 infected hosts<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: Malwarebytes Labs| Date: Mon, 29 Apr 2019 17:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
We’ve identified a new piece of malware that is connected to the Electrum botnet.<\/p>\n
Categories: <\/p>\n