Portion of a malicious program that steals the processing power of a victim’s machine to mine cryptocurrency for the attacker.

This binary has been captured by other Cowrie Honeypot operators, but is not currently recognized by VirusTotal’s detection service. It bears striking visual similarity to Coinminer samples in places, but the only way to really find out what it is would be to open it in a virtual environment and reverse engineer it’s inner workings.

This highly regular pattern comes from a section of a Linux Downloader Trojan horse. Trojans are applications that masquerade as legitimate services, but perform nefarious things behind the scenes. Downloaders like this one typically are the first stage of a multi stage attack and allows an attacker to download additional tools and malware.

This Linux Trojan horse enlists the victim’s machine in a large DDoS botnet. The Trojan appears to run as a legitimate service, while giving an attacker the ability to launch attacks from the victim’s machine. Distributed Denial of Service attacks involve the use of large networks of bot computers (botnet) to generate massive amounts of bogus requests targeting a server. If that server is hosting a website, it could be flooded with so many requests that the website goes offline.

The infamous ransomware cryptoworm that leveraged leaked NSA cyberweapons to propagate to over 200,000 computers in less than 24 hours without the need for any kind of user interaction. Ransomware encrypts data on a victim’s machine, locking them out of access to their files. A lock screen displays information about how to send funds (generally cryptocurrency) to the attackers in order to unlock the files. It’s believed that North Korea developed the worm and paired it with exploits that were stolen from the NSA and leaked by a group calling themselves The Shadow Brokers. This sample was captured on exposed SMB services, so merely connecting a poorly secured device running this service to the internet could lead to an attack within minutes!

This Linux Trojan horse enlists the victim’s machine in a large DDoS botnet. The Trojan appears to run as a legitimate service, while giving an attacker the ability to launch attacks from the victim’s machine. Distributed Denial of Service attacks involve the use of large networks of bot computers (botnet) to generate massive amounts of bogus requests targeting a server. If that server is hosting a website, it could be flooded with so many requests that the website goes offline.