A new botnet has been detected which could have potentially affected over a million web users in the last 12 months.
The Kroxxu botnet currently has its grip on around 100,000 web domains and has been spreading password-stealing malware whilst covering its tracks extremely effectively, avast! Virus Lab found.
The surreptitious nature of the botnet meant researchers were unable to determine how the masterminds had monetised the operation.
"There are a number of ways they could be supporting themselves," said Jiri Sejtko, head of virus research at the avast! Virus Lab.
"The four most likely methods are through selling hacked space on infected servers, use of this malware to support the activities of other, more directly profitable malware, selling stolen credentials, or using keyloggers to spread other spam."
Kroxxu differs from traditional botnets, as its expansion has been achieved solely through infected websites.
It's owners gained passwords to take control of websites, before making alterations to the site's content in order to upload and modify files on infected servers, avast! explained.
The operators then spread the botnet to other servers across the world.
Kroxxu has used redirectors in order to make it difficult to track the botnet's activities. The security company estimated over 10,000 redirectors had been employed by Kroxxu over the last year.
The malicious network also used alterable components, as each layer of the botnet performs a specific task, giving it greater flexibility.
"Kroxxu's indirect cross infections are based on the fact that all parts [are] equal and interchangeable," explained Sejtko.
"If one part is used as an initial redirector, it may also be used as a final distribution part at the same or even a different time. This gives it an enormous range of designed-in duplicity."
Kroxxu could spread to gain much more traction, avast! said. URL blocking engines may struggle to differentiate between standard malware distribution domains run by the malware authors and hacked zombie domains like those controlled by Kroxxu, the security firm explained.
There have been a number of successful botnet takedowns this year, which led to a drop in spam in the last quarter.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
-
Ukraine's vigilante IT army now has a DDoS bot to automate attacks against RussiaNews The 270,000-strong IT Army of Ukraine will now combine supporters' cloud infrastructure to strengthen the daily attacks against their invaders
-
Microsoft's secure VBA macro rules already being bypassed by hackersNews Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware
-
Emotet infrastructure has almost doubled since resurgence was confirmed
News Researchers confirm the infrastructure has also been upgraded for a "better secured", more resilient operation
