Huge Botnet Built Using Cloud Services

Walden Systems Geeks Corner News Huge Botnet Built Using Cloud Services Rutherford NJ New Jersey NYC New York City North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

A cybercrime gang known as DoubleGun Group has been disrupted, which had thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba. Researchers from NetLab 360 noticed DNS activity in its telemetry that traced back to a suspicious domain pro.csocools[dot]com controlling huge amounts of infected Windows devices. Analysis of the command-and-control infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group DoubleGun, also known as ShuangQiang.

The latest campaign spread malware through pirate gaming portals. The gang used Alibaba Cloud storage and China's largest online community, Baidu Tieba, to host configuration files. URL addresses hosted by Tencent Weiyun were used to manage the activity of the infected hosts. The campaign tricks users who play underground games to install game-launching software that contains malicious code. Clicking the download link will go to a corresponding private server homepage where users are supposed to be able to download a game-launching patch. When user installs and launches the fakepatch, the malicious code accesses the configuration information server, and then downloads and dynamically loads the latest version of the malicious program named cs.dll from Baidu Tieba.


The file, cs.dll, is hidden in image files hosted on Baidu Tieba. Each image contains separate image data and malicious code. The key string in cs.dll also uses a deformed and customized DES encryption method, which is similar to DoubleGun samples that researchers have seen before. Cs.dll will perform some simple anti-virus countermeasures, and use the Baidu statistics service to report bot information to the C2. It uses the system API to create the bot ID of the host and write it to the registry SOFTWAREPCID.

Once the malware is installed, the hackers are able to hijack system processes and download subsequent malicious programs. The DLL obtains the configuration server related information by calling the drivers. According to the downloaded configuration information, it goes to Baidu Tieba to download other malicious code to carry out the next stage. Based on the intelligence, Baidu security anti-underground-economy platform took actions to calculate the botnet's infection, provide risk warnings to infected users and blocked all the malware download. During the joint effort, Baidu got a better understanding of DoubleGun Gang's technics, logic and rules.