ninfo malware

NasaPaul Botnet: A Need for Speed

Updated: 2021-02-28 - Update detection section to explain why might not be flagged by AV. Updated: 2021-03-03 - Divide article by LM Kill Chain phases instead of MITRE ATT&CK framework. Case Summary I collect live malware samples from honeypots running on public cloud servers. This case examines a repeated security event following a successful bruteforce attack against SSH where malware payloads ninfo and are dropped from nasapaul[.]com. The samples examined in this post were captured on February 23rd, 2021....

February 27, 2021 · 16 min
Honeypot Logs

A Botnet's Search for MikroTik Routers

Last Updated: 2021-02-04 Last month, I wrote a post about setting up honeypots on GCP where I stood up a low-interaction SSH honeypot. Since then, I’ve been able to log a few megabytes worth of unauthorized behavior. This post will report on a repeated security event targeting misconfigured MikroTik routers. Event Behavior The attacker logs into the honeypot using admin/password and then sends the commands seen below into the honeypot terminal....

February 2, 2021 · 8 min