{"id":20822,"date":"2022-12-15T10:02:45","date_gmt":"2022-12-15T18:02:45","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/15\/news-14555\/"},"modified":"2022-12-15T10:02:45","modified_gmt":"2022-12-15T18:02:45","slug":"news-14555","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/12\/15\/news-14555\/","title":{"rendered":"MCCrash: Cross-platform DDoS botnet targets private Minecraft servers"},"content":{"rendered":"<p><strong>Credit to Author: Paul Oliveria| Date: Thu, 15 Dec 2022 18:00:00 +0000<\/strong><\/p>\n<p>Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure rapidly. The Microsoft Defender for IoT research team recently analyzed a cross-platform botnet that originates from malicious software downloads on Windows devices and succeeds in propagating to a variety of Linux-based devices.<\/p>\n<p>The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet. The botnet\u2019s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.<\/p>\n<p>Microsoft tracks this cluster of activity as DEV-1028, a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. The DEV-1028 botnet is known to launch distributed denial of service (DDoS) attacks against private Minecraft servers.<\/p>\n<p>Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites. A breakdown of the systems affected by the botnet over the three months from the time of this analysis also revealed that most of the devices were in Russia:<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"961\" height=\"536\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-1-ip-distribution-of-devices-infected-by-the-botnet-1.png\" alt=\"A geographical map that presents the countries where the devices affected by the botnet are located. Countries with affected devices are highlighted on the map in blue.\" class=\"wp-image-125267\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-1-ip-distribution-of-devices-infected-by-the-botnet-1.png 961w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-1-ip-distribution-of-devices-infected-by-the-botnet-1-300x167.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-1-ip-distribution-of-devices-infected-by-the-botnet-1-768x428.png 768w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><figcaption class=\"wp-element-caption\">Figure 1. IP distribution of devices infected by the botnet<\/figcaption><\/figure>\n<p>This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure. In this blog post, we share details on how this botnet affects multiple platforms, its DDoS capabilities, and recommendations for organizations to prevent their devices from becoming part of a botnet. We also share Minecraft server version information for owners of private servers to update and ensure they are protected from this threat.<\/p>\n<h2>Cross-platform botnet targets SSH-enabled devices<\/h2>\n<p>Microsoft researchers observed that the initial infection points related to the botnet were devices infected through the installation of malicious cracking tools that purport to acquire illegal Windows licenses.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"747\" height=\"332\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-2-cracking-tools-used-to-spread-the-botnet.png\" alt=\"Two screenshots of the user interfaces of the cracking tools used to spread the MCCrash botnet.\" class=\"wp-image-125257\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-2-cracking-tools-used-to-spread-the-botnet.png 747w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-2-cracking-tools-used-to-spread-the-botnet-300x133.png 300w\" sizes=\"auto, (max-width: 747px) 100vw, 747px\" \/><figcaption class=\"wp-element-caption\">Figure 2. Cracking tools used to spread the botnet.<\/figcaption><\/figure>\n<p>The cracking tools contain additional code that downloads and launches a fake version of <em>svchost.exe <\/em>through a PowerShell command. In some cases, the downloaded file is named <em>svchosts.exe<\/em>.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"959\" height=\"446\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-3-the-code-of-the-net-executable-that-downloads-and-runs-svchostexe-1.png\" alt=\"A screenshot of malware code from an analysis tool, specifically the function where the malware downloads and runs the malicious file, svchost.exe.\" class=\"wp-image-125268\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-3-the-code-of-the-net-executable-that-downloads-and-runs-svchostexe-1.png 959w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-3-the-code-of-the-net-executable-that-downloads-and-runs-svchostexe-1-300x140.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-3-the-code-of-the-net-executable-that-downloads-and-runs-svchostexe-1-768x357.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-3-the-code-of-the-net-executable-that-downloads-and-runs-svchostexe-1-465x215.png 465w\" sizes=\"auto, (max-width: 959px) 100vw, 959px\" \/><figcaption class=\"wp-element-caption\">Figure 3. The code of the .NET executable that downloads and runs svchost.exe<\/figcaption><\/figure>\n<p>Next, <em>svchost.exe<\/em> launches <em>malicious.py<\/em>, the main Python script that contains all the logic of the botnet, whichthen scans the internet for SSH-enabled Linux-based devices (Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are commonly enabled for remote configuration) and launches a dictionary attack to propagate. Once a device is found, it downloads the file <em>Updater.zip<\/em> from <em>repo[.]ark\u2014event[.]net<\/em> onto the device, which creates the file <em>fuse. <\/em>The <em>fuse<\/em> file then downloads a copy of <em>malicious.py<\/em> onto the device. Both <em>svchost.exe<\/em> and <em>fuse<\/em> are compiled using PyInstaller, which bundles all the Python runtime and libraries necessary to initiate <em>malicious.py<\/em>.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"960\" height=\"481\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-4-the-ddos-botnet-attack-flow-1.png\" alt=\"A graphic that presents the entire DDoS botnet attack flow from initial infection through a malicious cracking software to the running of DDoS commands from infected devices.\" class=\"wp-image-125266\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-4-the-ddos-botnet-attack-flow-1.png 960w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-4-the-ddos-botnet-attack-flow-1-300x150.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-4-the-ddos-botnet-attack-flow-1-768x385.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><figcaption class=\"wp-element-caption\">Figure 4. The DDoS botnet attack flow<\/figcaption><\/figure>\n<p>While <em>malicious.py<\/em> has specific functionalities depending on whether the file launches on a Windows or Linux-based device (for Windows, the file establishes persistency by adding the registry key <em>SoftwareMicrosoftWindowsCurrentVersionRun<\/em> with the executable as the value), the executable is compiled to operate on both Windows and Linux-based devices. The file communicates with its command-and-control (C2) server to launch the following commands:<\/p>\n<ul>\n<li>Establish TCP connection to <em>repo[.]ark-event[.]net <\/em>on port 4676.<\/li>\n<li>Send initial connection string.<\/li>\n<li>Receive a key from the server for encryption and decryption, and then encrypt further communication using the Fernet symmetric algorithm.<\/li>\n<li>Send version information to the server:\n<ul>\n<li>Windows device: The current Windows version<\/li>\n<\/ul>\n<ul>\n<li>Linux device: Hardcoded version (2.19 in the sample we analyzed)<\/li>\n<\/ul>\n<\/li>\n<li>Continue receiving encrypted commands from the server<\/li>\n<\/ul>\n<p>Based on our analysis, the botnet is primarily used to launch DDoS attacks against private Minecraft servers using known server DDoS commands and unique Minecraft commands. Below is the list of commands established in the code:<\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>SYNC<\/strong><\/td>\n<td>Check that malware is running<\/td>\n<\/tr>\n<tr>\n<td><strong>PROXY_&lt;url&gt;<\/strong><\/td>\n<td>Set proxy servers<\/td>\n<\/tr>\n<tr>\n<td><strong>DOWNLOAD_&lt;url&gt;<\/strong><\/td>\n<td>Download file<\/td>\n<\/tr>\n<tr>\n<td><strong>EXEC_&lt;command &gt;<\/strong><\/td>\n<td>Run specific command line<\/td>\n<\/tr>\n<tr>\n<td><strong>SCANNER[ON|OFF]<\/strong><\/td>\n<td>Default credentials attack on SSH servers to spread<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_TCP<\/strong><\/td>\n<td>Send random TCP payloads<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_[HOLD|HANDSHAKE]<\/strong><\/td>\n<td>Send random TCP payloads through proxy<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_UDP<\/strong><\/td>\n<td>Send random UDP payload<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_VSE<\/strong><\/td>\n<td>Attack on Valve Source Engine protocol<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_RAKNET<\/strong><\/td>\n<td>Attack on RakNet protocol (used by Minecraft servers)<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_NETTY<\/strong><\/td>\n<td>Minecraft \u2013 Login handshake Packet<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_[MCBOT|MINE]<\/strong><\/td>\n<td>Minecraft \u2013 Login Start Packet<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_[MCPING|PING]<\/strong><\/td>\n<td>Minecraft \u2013 Login Success Packet<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_MCDATA<\/strong><\/td>\n<td>Minecraft \u2013 Login Handshake, Login Start and Close Window Packets<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_MCCRASH<\/strong><\/td>\n<td>Minecraft \u2013 Login Handshake and Login Start packets, using Username with <em>env<\/em> variable<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_JUNK<\/strong><\/td>\n<td>Send Tab-Complete packet<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_HTTP-GET<\/strong><\/td>\n<td>Send GET request<\/td>\n<\/tr>\n<tr>\n<td><strong>ATTACK_HTTP-FAST<\/strong><\/td>\n<td>Send HEAD request<\/td>\n<\/tr>\n<tr>\n<td><strong>STOP_ATTACK<\/strong><\/td>\n<td>Stop the previous attack<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>While most of the commands are methods of DDoS, the most notable command run by the botnet is <em>ATTACK_MCCRASH. <\/em>The command sends <em>${env:random payload of specific size:-a}<\/em> as the username in order to exhaust the resources of the server and make it crash.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"955\" height=\"75\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-5-mccrash-tcp-payload-seen-in-a-packet-capture-1.png\" alt=\"A screenshot of packet capture results that presents details of the malware's TCP payload. \" class=\"wp-image-125271\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-5-mccrash-tcp-payload-seen-in-a-packet-capture-1.png 955w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-5-mccrash-tcp-payload-seen-in-a-packet-capture-1-300x24.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Fig-5-mccrash-tcp-payload-seen-in-a-packet-capture-1-768x60.png 768w\" sizes=\"auto, (max-width: 955px) 100vw, 955px\" \/><figcaption class=\"wp-element-caption\">Figure 5. MCCrash TCP payload seen in a packet capture<\/figcaption><\/figure>\n<p>TCP payloads on port 25565 have the following binary structure:<\/p>\n<ul>\n<li>Bytes [0:1] \u2013 Size of packet<\/li>\n<li>Bytes [1:2] \u2013 Login Start command<\/li>\n<li>Bytes [2:3] \u2013 Size of username<\/li>\n<li>Bytes [3:18] \u2013 Username string<\/li>\n<\/ul>\n<p>The usage of the <em>env<\/em> variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources (not related to Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method.<\/p>\n<h2>A wide range of Minecraft server versions could be affected<\/h2>\n<p>While testing the impact of the malware, researchers found that the malware itself was hardcoded to target a specific version of Minecraft server, 1.12.2. However, all versions between 1.7.2 and 1.18.2 can be affected by this method of attack. There is a slight modification in the Minecraft protocol in server version 1.19, which was released earlier in 2022, that prevents the use of the Minecraft specific commands, the <em>ATTACK_MCCRASH<\/em>, <em>ATTACK_[MCBOT|MINE]<\/em> and <em>ATTACK_MCDATA<\/em>, without modification of the attack code.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"960\" height=\"561\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-6-distribution-of-minecraft-servers-by-version-1.png\" alt=\"A pie chart that presents the distribution of Minecraft servers based on their version.\" class=\"wp-image-125269\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-6-distribution-of-minecraft-servers-by-version-1.png 960w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-6-distribution-of-minecraft-servers-by-version-1-300x175.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-6-distribution-of-minecraft-servers-by-version-1-768x449.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><figcaption class=\"wp-element-caption\">Figure 6. Distribution of Minecraft servers by version<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"961\" height=\"598\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-7-distribution-of-minecraft-servers-that-could-be-affected-by-mccrash-1.png\" alt=\"A geographical map that presents the countries where Minecraft servers that can be affected by MCCrash are located. Countries with servers that can be affected are highlighted on the map in blue.\" class=\"wp-image-125270\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-7-distribution-of-minecraft-servers-that-could-be-affected-by-mccrash-1.png 961w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-7-distribution-of-minecraft-servers-that-could-be-affected-by-mccrash-1-300x187.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/12\/Figure-7-distribution-of-minecraft-servers-that-could-be-affected-by-mccrash-1-768x478.png 768w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><figcaption class=\"wp-element-caption\">Figure 7. Distribution of Minecraft servers that could be affected by MCCrash<\/figcaption><\/figure>\n<p>The wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to affect versions beyond 1.12.2. The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.<\/p>\n<h2>Protecting endpoints from cross-platform DDoS botnets like MCCrash<\/h2>\n<p>To harden devices networks against threats like MCCrash, organizations must implement the basics to secure identities and their devices, including access limitation. Solutions must detect downloads of malicious programs and malicious attempts to gain access to SSH-enabled devices and generate alerts on anomalous network behavior.&nbsp;Below are some of our recommendations for organizations:<\/p>\n<ul>\n<li>Ensure employees are not downloading cracking tools as these are abused as an infection source for spreading malware.<\/li>\n<\/ul>\n<ul>\n<li><strong>Increase network security<\/strong>&nbsp;by enforcing multi-factor authentication (MFA) methods such as Azure Active Directory (now part of Microsoft Entra) MFA. Enable&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/enable-network-protection?view=o365-worldwide\">network protection<\/a>&nbsp;to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n<p><a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/microsoft-365-defender\">Microsoft 365 Defender<\/a>&nbsp;protects against attacks related to botnets by coordinating threat data across identities, endpoints, cloud apps, email, and documents.&nbsp;Such cross-domain visibility allows&nbsp;Microsoft 365&nbsp;Defender to comprehensively detect and remediate end-to-end attack chains\u2014from malicious downloads to its follow-on activities in endpoints. This rich set of tools like&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/advanced-hunting-overview?view=o365-worldwide\">advanced hunting<\/a>&nbsp;let defenders surface threats and gain insights for hardening networks from compromise.<\/li>\n<\/ul>\n<ul>\n<li><strong>Adopt a comprehensive IoT security solution&nbsp;<\/strong>such as&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-iot\">Microsoft Defender for IoT<\/a>&nbsp;to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM\/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender. Defender for IoT is updated regularly with indicators of compromise (IoCs) from threat research like the example described in this blog, alongside rules to detect malicious activity.\n<p>On the IoT device level: <\/p>\n<ul>\n<li>Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.<\/li>\n<li>Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.<\/li>\n<li>Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>For users hosting private Minecraft servers, update to version 1.19.1 and above.<\/li>\n<\/ul>\n<ul>\n<li><strong>Adopt a comprehensive Windows security solution<\/strong>\n<ul>\n<li>Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.<\/li>\n<\/ul>\n<ul>\n<li>For commercial customers, enable application and browser controls such as Microsoft Defender Application Guard for enhanced protection for Office and Edge.<\/li>\n<li>Perform timely cleanup of all unused and stale executables sitting on your organizations\u2019 devices.<\/li>\n<li>Protect against advanced firmware attacks by enabling memory integrity, Secure Boot, and Trusted Platform Module 2.0, if not enabled by default, which hardens boot using capabilities built into modern CPUs.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Indicators of compromise (IOCs)<\/h2>\n<ul>\n<li>e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25 (KMSAuto++.exe)<\/li>\n<li>143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320 (W10DigitalActivation.exe)<\/li>\n<li>f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30 (dcloader.exe)<\/li>\n<li>4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f (updater.zip)<\/li>\n<li>eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382 (svchost<strong>s<\/strong>.exe)<\/li>\n<li>93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251 (fuse)<\/li>\n<li>202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1 (malicious.py)<\/li>\n<li>repo[.]ark-event[.]net<\/li>\n<\/ul>\n<h2>Detections<\/h2>\n<p><strong>Microsoft Defender Antivirus<\/strong><\/p>\n<p>Microsoft Defender Antivirus detects the malware used in this attack as the following:<\/p>\n<ul>\n<li>TrojanDownloader:MSIL\/MCCrash.NZM!MTB<\/li>\n<li>Trojan:Win32\/MCCrash.MA!MTB<\/li>\n<li>TrojanDownloader:Python\/MCCrash!MTB<\/li>\n<li>Trojan:Python\/MCCrash.A<\/li>\n<li>TrojanDownloader:Linux\/MCCrash!MTB<\/li>\n<li>Trojan:Python\/MCCrash.RPB!MTB<\/li>\n<li>Trojan:Python\/MCCrash.RPC!MTB<\/li>\n<\/ul>\n<p><strong>Microsoft Defender for Endpoint<\/strong><strong><\/strong><\/p>\n<p>Microsoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:<\/p>\n<ul>\n<li>Emerging threat activity group DEV-1028 detected<\/li>\n<li>System file masquerade<\/li>\n<li>Anomaly detected in ASEP registry<\/li>\n<li>Suspicious process launched using cmd.exe<\/li>\n<li>Suspicious file launch<\/li>\n<\/ul>\n<p><strong>Microsoft Defender for IoT<\/strong><strong><\/strong><\/p>\n<p>MCCrash-related activity on IoT devices would raise the following alerts in Microsoft Defender for IoT:<\/p>\n<ul>\n<li>Unauthorized&nbsp;SSH&nbsp;access<\/li>\n<li>Excessive login attempts<\/li>\n<\/ul>\n<p><strong>Microsoft Defender for Cloud<\/strong><strong><\/strong><\/p>\n<p>Microsoft Defender for Cloud raises the following alert for related activity:<\/p>\n<ul>\n<li>VM_SuspectDownload<\/li>\n<\/ul>\n<h2>Advanced hunting queries<\/h2>\n<p>Run the following queries to search for related files in your environment:<\/p>\n<pre class=\"wp-block-preformatted\">DeviceFileEvents | where SHA256 in (\"e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25\",\"143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320\",\"f9c7dd489dd56e10c4e003e38428fe06097aca743cc878c09bf2bda235c73e30\",\"4e65ec5dee182070e7b59db5bb414e73fe87fd181b3fc95f28fe964bc84d2f1f\",\"eb57788fd2451b90d943a6a796ac5e79f0faf7151a62c1d07b744a351dcfa382\",\"93738314c07ea370434ac30dad6569c59a9307d8bbde0e6df9be9e2a7438a251\",\"202ac3d32871cb3bf91b7c49067bfc935fbc7f0499d357efead1e9f7f5fcb9d1\")  DeviceFileEvents | where FolderPath endswith @\":windowssvchost.exe\"  DeviceRegistryEvents | where RegistryKey contains \"CurrentVersion\\Run\" | where RegistryValueName == \"br\" or RegistryValueData contains \"svchost.exe\" or RegistryValueData contains \"svchosts.exe\"  DeviceProcessEvents | where FileName in~ (\"cmd.exe\", \"powershell.exe\") | where ProcessCommandLine has_all (\"-command\", \".downloadfile(\", \"windows\/svchost.exe\") <\/pre>\n<\/p>\n<p><strong><em>David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon<\/em><\/strong><em>, Microsoft Defender for IoT Research Team<\/em><\/p>\n<p><strong><em>Ross Bevington<\/em><\/strong><em>, Microsoft Threat Intelligence Center (MSTIC)<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/12\/15\/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers\/\">MCCrash: Cross-platform DDoS botnet targets private Minecraft servers<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/12\/15\/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Paul Oliveria| Date: Thu, 15 Dec 2022 18:00:00 +0000<\/strong><\/p>\n<p>The Microsoft Defender for IoT research team analyzed a cross-platform botnet that infects both Windows and Linux systems from PCs to IoT devices, to launch distributed denial of service (DDoS) attacks against private Minecraft servers.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/12\/15\/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers\/\">MCCrash: Cross-platform DDoS botnet targets private Minecraft servers<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500,16861,10496,22453],"class_list":["post-20822","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity","tag-iot-security","tag-linux","tag-microsoft-security-intelligence"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20822","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20822"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20822\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20822"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20822"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20822"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}