Keksec Cybergang Debuts Simps Botnet for Gaming DDoS

Keksec Cybergang Simps Botnet

The newly discovered malware infects IoT devices in tandem with the prolific Gafgyt botnet, using known security vulnerabilities.

A recently developed botnet named “Simps” has emerged from the cyber-underground to carry out distributed denial-of-service (DDoS) attacks on gaming targets and others, using internet of things (IoT) nodes. It’s part of the toolset used by the Keksec cybercrime group, researchers said.

According to the Uptycs’ threat research team, Simps was first seen in April being dropped on IoT devices by the Gafgyt botnet. Gafgyt (a.k.a. Bashlite) is a Linux-based botnet that was first uncovered in 2014. It targets vulnerable IoT devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale DDoS attacks and download next-stage payloads to infected machines. It recently added new exploits for initial compromise, for Huawei, Realtek and Dasan GPON devices.

In the current campaign, Gafgyt infects Realtek (CVE-2014-8361) and Linksys endpoints, and then fetches Simps. Simps itself then uses Mirai and Gafgyt modules for DDoS functionality, according to the analysis, released on Wednesday.

Another variant of the attack uses shell scripts for downloading Simps.

YouTube, Discord Simps Discussions
The shell script and Gafgyt can deploy various next-stage Simps payloads for several Linux-based architectures, researchers noted, using the Wget utility. Wget is a legitimate software package for retrieving files from web servers using HTTP, HTTPS, FTP and FTPSa.

Once the Simps binary executes, it drops a log file that records the fact that the target device is infected, and connects to the command-and-control server (C2).

The infection logs share commonalities, which allowed the researchers to search for references to them across the broader web. This led to the discovery that the Simps author maintains a YouTube channel to offer demonstrations of the botnet’s functionality, and a Discord server to host discussions about the malware.

“The botnet might be in the early stages of development because of the presence of the log file after execution,” researchers said, noting that leaving behind an easily discoverable artifact like that isn’t best practice for those trying to stay under the radar.

In any event, they identified a YouTube video created by a user named “itz UR0A,” entitled “Simps Botnet😈, Slamming!!!” – dating from April 24.

The YouTube link also contained a Discord server link for “UR0A”, which was also present in the infection log, the analysis found.

“The Discord server contained several discussions around DDoS activities and botnets carrying different names,” researchers noted. “One binary we identified in a chat conversation named gay.x86 displayed a message that ‘the system is pawned by md5hashguy.’”

Attribution to Keksec
Thanks to certain Discord server messages, Uptycs attributed the activity to the Keksec group (a.k.a. Kek Security), which is a prolific threat group known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, and custom Python malware).

It’s constantly adding to its arsenal; in January, it was seen deploying the FreakOut Linux botnet malware, which does port scanning, information gathering, and data packet and network sniffing, along with DDoS and cryptomining.

“The group is actively constructing IRC botnets for the purposes of DDoS operations and cryptojacking campaigns using both Doge and Monero,” according to a recent Lacework analysis of the group.

As evidence for Simps attribution, Uptycs discovered that one of the Discord messages contained a Gafgyt malware sample that contained an “Infected By Simps Botnet ;)” message.

“This malware dropped a file named ‘keksec.infected.you.log,’ that contained a message ‘you’ve been infected by urmommy, thanks for joining keksec.”

Also, Gafgyt is one of Keksec’s most-favored tools, according to past analysis, and the group is known for mashing up its code with other binaries to create Franken-malware. For instance, Keksec also operates HybridMQ-keksec, a botnet created by combining and modifying the source code of Mirai and Gafgyt, Uptycs pointed out.

In the case of Simps, the binaries notably contain modules for launching DDoS attacks against gaming platforms like the Valve Source Engine and OVH. These were also seen in a variant of Gafgyt used by Keksec that targeted Huawei and Asus routers and killed its rival IoT botnets.

Source: threatpost.com