Botconf 2025

The past decade has seen the proliferation of Botnets that propagate by scanning the Internet for vulnerable devices. This diffusion has been fueled by the poor adoption of security practices in IoT devices, such as weak default passwords and sporadic software updates, as well as the popularization of tools for fast scanning of the entire IPv4 address space. The capabilities of this threat have been showcased multiple times, in particular through Distributed Denial of Service (DDoS) attacks aimed at major institutions like news outlets and DNS providers. With the public release of the Mirai source code in 2016, the popularity of botnets has reached a new peak, leading to the appearance of a vast number of more or less successful malware variants based on the original. In an Internet landscape still largely populated by vulnerable devices, it is therefore critical for security practitioners to keep up with the latest developments of Botnets together with the Tactics, Techniques and Procedures they might introduce.

With this presentation, we outline a months-long study of the Gorilla Botnet that combines the deployment of IoT Honeypots, monitoring of live samples from a sandboxed environment, and analysis of Internet scans collected in a large darknet. We show the targets of the attacks and the potential attack sizes, and investigate the behavior of targets under attack. The victimization of this botnet shows how a DDoS-as-a-Service is used and what common targets for such networks are. The sheer amount of DDoS attacks performed by this network is staggering, and we aim to investigate whether these attacks are successful.

During the presentation, we will outline the datasets that we are using to track the gorilla botnet operations and will share key insights learnt from the DDoS attacks performed by clients of the botnet. The presentation focusses on tracking the botnet, its attacks, and estimating the impact of the attacks.

Today most malware and botnets use network communication for tasks such as downloading malicious files, sending stolen data, receiving commands from the C2, etc. Researchers worldwide analyze millions of network traffic streams daily to search for potential anomalies (in other words, suspicious communications). Nevertheless, hackers have long used various techniques not only to obfuscate the malware itself to make reverse engineering more difficult but also to hide C2 communication. Backdoors, bankers, botnets, loaders, spyware, stealers, and RATs… it has become more difficult to detect them in the network: some use encryption, others – custom protocols, and others – different obfuscation techniques. However, the main advantage of the network is that despite the attackers’ attempts to hide in it, their presence does not disappear, which means it can be detected. The question is – how?
During this session, you will learn: why DNS tunneling gives itself away, why symmetric encryption is not a barrier to detection, how to deal with fragmentation using rules, the main disadvantages of steganography in network traffic, and why TLS encryption will no longer save cybercriminals.
About these and other techniques, most frequently used in the current malware ecosystem, and by known APT groups, I will talk during this presentation, as well as provide various detection methods that actually work – from using the possibilities of Suricata rules to fuzzy hashes and scripting modules – to detect them all!

In late 2022, an unidentified AutoIt-based eCrime stealer was observed in the wild; it was named Doit. The malware was initially delivered via email spam campaigns targeting users from Chile, Mexico and Peru. In 2023, Doit shifted to exclusively target Mexico using phishing websites and search-engine optimization (SEO) poisoning. Doit aims to steal sensitive user data, install Chrome enrollment tokens, download additional components, and likely install actor-controlled browser extensions.

In the span of two years, Doit has been rewritten twice—from an Autoit-based stealer (version 1.0) to a C++ rewrite (version 2.0)—to be now a convoluted modular C++ malware (version 3.0), which is more technically complex than its earlier versions. The malware now consists of more than 10 modules which are dependent on each other, as the result from the previous module is used to execute the following. While the previous AutoIt and C++ versions are no longer active, the latest modular C++ version is still actively distributed as of this writing.

This presentation covers Doit’s evolution since it was first observed, including:

• A chronological view of the malware evolution from the first AutoIt version to the modular C++ version
• Detailed description of delivery methods to distribute the malware to Latin American (LATAM)-based users
• A deep dive into the convoluted execution process for the modular C++ version, describing several anti-analysis and evasion techniques

The audience will gain a better understanding of Doit technical development, uncommon techniques for LATAM-focused malware, and insights of how a threat actor targeting users in LATAM operates.

Malware sandboxes are essential tools for malware analysis, allowing researchers to execute malware in controlled environments to reveal its behavior, communication destinations, and configuration settings. Due to their convenience, a wide variety of both free and commercial sandboxes are available. However, existing sandboxes face three major challenges: limited execution time for malware, inflexible execution environments, and restricted logging capabilities. To address these limitations, we developed a highly functional sandbox that eliminates execution time restrictions, allows for flexible configuration of execution environments, and provides real-time comprehensive logging. This sandbox is currently in operation at over 50 Japanese companies.

We have been operating this sandbox with improvements, and now we need to evaluate whether these functions are effective. Therefore, we evaluated our sandbox from two perspectives:

• Can we observe the activity of the attacker behind malware?
• Is the observed activity unobservable by existing sandboxes?

A remote access trojan (RAT), which can control an attacker-infected machine, was appropriate for this evaluation.

We conducted an analysis using RATs collected over a six-month period in our sandbox. As a result, we were able to observe four types of attacker activity through the RATs. We also found that these activities occurred more than an hour after the RAT had connected to the command and control (C2) server. These activities are impossible to observe with existing sandboxes. Finally, we discussed how to improve and operate our sandbox based on these results in the future.

Over the last few years, a significant part of our malware tracking efforts has focused on monitoring backconnect proxy malware families. What began in 2021 as an experiment with the SystemBC malware family has evolved into a project for monitoring multiple proxy botnets. Its primary aim has been to investigate proxied traffic with a particular focus on capturing spam campaigns. In 2024, we expanded our capabilities to monitor residential proxy providers suspected of facilitating spam.

This talk will share findings from our monitoring efforts and provide technical insights into impactful backconnect malware families and residential proxy providers.