Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters
botnet as service business and coding on the dark side of the life: “At this
point of my life… if it doesn’t make me money,
I don’t make time for it”, is stated in the picture below.
elsewhere the same threat actor pronounces a more blatantly made statement in a
sentence that sounds like “I am not scared by the death, I am scared more to
not live a pleasant life.”
This is the “new” motto of those youngsters-wannabe-hackers: botnet providers,
sellers, coders, “boaters” driving in the night with the laptop ever connected
aside. In the imaginary world of a teen the adults world becomes a violent
jungle dominated by the dark colors of the delirium of omnipotence. Botnet, packet flooding, bots, power of
attack: “I don’t care how many and what bots I have, all I care is only to have
stable stress power”.
It is in this psychedelic context that the
Cayosin botnet has seen the light and for the first time has been reversed and
analyzed (the report is here)
by “unixfreaxjp” from the MalwareMustDie team.
The analysis is sapient and clear: in the
reversed samples there are many traces of a collection of attacks that lead to
a collection of different source codes.
One of them is
From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.
A ready-to-use botnet build to be sold for
$20 a month, “full options” on sale with an expiry token and functionalities
that were able to ban the users who didn’t renew the expired “licence”.
The combination of more capabilities of the
botnet has been well documented also by PERCH Security Threat Report who made a
on it, confirming the combination of these functionalities used in Cayosin
along with the deeper OSINT investigation of the threat source.
PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits and methods then implemented in the malware to enrich the harmful capability of the new “product”.
They candidly state this in their Instagram
Stories: “New Methods, DM me if you want to know more.”
PERCH has understood it well, in fact
writes: “This is not the team’s first tool. They have created a few along the
way like Summit, Tragic, and about a dozen others. You
can learn more about these tools by following the various Instagram accounts of
the crew. They seem interested in building tools to DDoS and boast about taking
down services with OVH, Choopa, NFO – and if the hype is real, maybe even
Rocket League servers.”
At this point is not excluded that Cayosin
is only an evolution of many other botnets made always by the same threat actor
(or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which
remember Cayosin botnet capabilities. Check the following exclusive image:
- Features: Admin of accounts, Add user
commands, Kick user commands, Full chat, On line user list, Bot limits for
account, Full bot type list, Port Scanner and Resolver
- Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
- Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they
The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as
In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the front end of DDoS-As-Service sites
About the Author:
The post Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem appeared first on Security Affairs.