CoalaBot
The CoalaBot malware is a Trojan that is deployed to end-point devices via Trojan-Downloaders and exploit kits. The CoalaBot Trojan functions as a proxy that sends data requests to sites, RDP ports and servers without the knowledge of the infected user. CoalaBot may run on compromised machines as cla.exe and use encrypted network channels to cover its Web traffic. Malware researchers discovered that the CoalaBot Trojan is offered for sale on Dark Web forums. The creators of CoalaBot offer the current builds for 300 USD, but interested parties are required to pay 20 USD more for new updates to come. The CoalaBot Trojan is promoted by a person using the online tag 'Discomrade' who claims that CoalaBot can bypass DDoS protection from companies like Cloudflare, Incapsula, SUCURI, MYRA and AWS Shield. Computer security researchers reported that the CoalaBot malware supports the following types of DDoS attacks:
- ICMP (PING) flood
- UDP Flood
- TCP Flood
- HTTP ARME
- HTTP GET
- HTTP POST
- HTTP SLOWLORIS
- HTTP Pulse Wave
The malware payload is reported to be just under 100kb after obfuscation and support a low CPU mode by default. The threat is promoted to encrypt incoming and outgoing data transmissions as well as one build for several network gateways. The CoalaBot comes with a Web panel to track infected devices, issue commands and send updates. The CoalaBot We panel allows threat actors to see what time machines remain online, what is the underlying architecture, the number of requests per session. Additionally, cybercriminals can organize compromised computers into groups and delegate tasks. An interesting feature to note is that CoalaBot supports TOR gateways which helps with hiding the origin of the DDoS attacks. Website owners, server administrators, and network managers are advised to maintain backup servers and follow reliable anti-DDoS practices. PC users who may be infected with the CoalaBot Trojan might notice strange network requests and security notifications from Web filtering services.
