BuleHero Botnet Description
BuleHero is a Botnet that uses a lot of sideway movement modules to install XMRig Miner and Gh0st RAT. In depth research of the malware revealed that BuleHero used Swpuhostd.exe to download a port scanning tool so the botnet could perform a scan, looking for exposed and vulnerable computers connected to the network. Researchers discovered that the threat sequentially scanned for IP addresses with ports 80 and 3389 open. It then saved these results into a Results.txt file.
Consequently, it gave those passwords to PsExec and WMIC, tools that assisted the malware spread to other computers on the same network.The BuleHero botnet is not the only recently found threat known for using sideway motion to spread across a network and infect other computers. Security analysts can help their organizations defend against the BuleHero botnet by leveraging user behavior analytics (UBA) to identify behaviors that could point to potentially malicious activity on the network.