We have seen a rapid proliferation of Linux malware/botnets in recent years. While it's not uncommon at all to find that many of them were actually created by script kiddies with easily obtained malware kits (e.g. Mirai and Gafgyt source code), over 50% of them, according to our data, were from a relatively small number of professional actors who have persistence in operating Linux botnets. Compared with script kiddies, they usually have more resources and are more skilful, thus worthy of more attention.
The keksec group is one such threat actor. It became known for building the Necro/Freakout botnet early this year. Further digging shows that it has a long history of running DDoS botnets, with the first one traced back to 2016. It’s interesting that the keksec group was very open in showing off their attacking activities. For example, they used to publicize their invasion of a public billboard on social media. They also created an open directory in pastebin.com to hold their source and attack tools. As a result, the open information has helped us summarize the high-profile group as follows:
- keksec group was created in 2016 by a few experienced botnet actors.
- They preferred DDoS and miner types of botnets.
- They had a rich set of popular botnet kits targeting both Windows and Linux machines.
For unknown reasons, the group kept silent for a period of time in 2020. Our data shows that their hacking activities were not resumed until August 2020. Nearly 20 botnet campaigns have been detected by us after that time. Detailed studies have been carried on the collected data in terms of samples, exploits and C2 servers. With the help of passive DNS some interesting results were obtained, which make us believe that it is possible to depict the big picture of keksec botnets since August 2020. We think the analysis will help to better detect and mitigate against future botnet threats from keksec.
Some preliminary findings (more details to be added later):
Got a question about this presentation? To get in touch with the speakers, contact Ye Jin on Twitter at @SethKingHi.
- Whether keksec attacked both Linux and Windows machines. What vulnerabilities were exploited.
- How 1-day exploits were used by keksec.
- What botnet families have been built by keksec.
- Whether keksec reused code instead of writing from scratch.
- How IRC protocol was reused across different botnet families and variants.
- What patterns exist in keksec sample delivering and updating.
- How DGA and Tor mechanisms were used to hide the real C2s.
- What set of C2 infrastructure was owned by this group.