MasterMana Botnet Description
The MasterMana botnet activity was first spotted at the end of 2018. Since then, malware researchers have estimated that the systems, which have fallen victim to this threat are about 3,000. Having operated in such a long time, one may think that the MasterMana botnet would consist of a far greater number of compromised systems. However, this campaign is no joke as the attackers take advantage of high-end RATs (Remote Access Trojans), which allow them to almost fully take over the compromised system.
The creators of the MasterMana botnet use spam emails that contain infected ‘.DLL’ files to deliver the threat to their targets. It would appear that the operators of the MasterMana botnet do not go after regular users but would rather target companies. They use a technique called phishing, which means that various social engineering methods are employed to ensure that the user will do what the attackers intend them to. In the case of the MasterMana botnet, the emails delivered to the targeted businesses would be tailored for them specifically.
Setting Up the MasterMana Botnet Cost Less than $200
Cybersecurity experts have assessed that it is likely that the cyber crooks operating the MasterMana botnet have spent barely any money setting up their operation. They employ two Trojans (namely the AZORult and RevengeRAT), which cost about $100 in total and have also rented VPS (Virtual Private Servers), which are no more than $60.
The Two RATs Employed in the Campaign
The AZORult backdoor Trojan can be classified as spyware because it is capable of collecting login credentials, cookies, browser history and even cryptocurrency wallets. The RevengeRAT is a threat that is often used as a first-stage payload and paves the way for the attackers to plant additional malware on the targeted host. Furthermore, the RevengeRAT also can collect information about the host and execute remote commands too.
Does not Use a Remote C&C Server
Most cyber crooks that operate botnets usually do so via remote C&C (Command & Control) servers. However, the creators of the MasterMana botnet host their content on Pastebin, Blogspot and Bitly. When the MasterMana malware compromises a host, it will grab the corrupted payload from one of these platforms, decrypt it, and then execute it on the host.
It is not known how much cash have the operators of the MasterMana botnet generated, but since they are targeting businesses, it is likely that they have done well for themselves. Many companies underestimate the importance of cybersecurity and a growing number of them pay the price for their negligence.