Attack Resources Shared by New LeetHozer Botnet and Moobot Malware

Security researchers discovered that the new LeetHozer botnet shares some attack resources with the Moobot malware family.

The Network Research Lab at 360 found that the LeetHozer botnet had borrowed from the reporter and loader mechanism employed by Mirai. But this threat differed from other Mirai variations in that it made significant changes to the encryption method, bot program and command-and-control (C&C) communication protocol. It also employed the same downloader as well as a unique string in its vulnerability exploitation efforts as Moobot. In response to this observation, researchers posited that LeetHozer likely originated from the same organization or attacker responsible for creating Moobot.

The researchers found that the botnet began by exploiting a vulnerability to start the telnetd service in a targeted device. It then used the default password to log into the device. Upon completing this infection process, LeetHozer sent the device’s information to its reporter mechanism, reached out to its C&C server and waited for instructions to begin conducting a distributed denial-of-service (DDoS) attack.

A Look at Moobot’s Emergence

Moobot has been involved in various attack campaigns since its discovery by the Network Research Lab at 360 in September 2019. In March 2020, for instance, the security firm’s detection systems flagged various threat groups abusing zero-day vulnerabilities in LILIN DVR devices to distribute the malware. It was just a month later when the researchers at 360 revealed that they had spotted Moobot abusing another zero-day security flaw as part of its exploit attempts to target fiber routers.

Defend Against the LeetHozer Botnet’s DDoS Attacks

Security professionals can help their organizations defend against DDoS attacks launched by the LeetHozer botnet and other threats like it by developing a robust incident response plan. They can then use this strategy to ensure that their organization’s backup services start up when an attack begins targeting the network. In addition, they should use solutions powered by artificial intelligence (AI) to help determine when an attack is underway.