Threat Report
Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior
Recently, we came across an emerging botnet as-a-service, the Cayosin Botnet. We first observed Cayosin on January 6, 2019, and activity has been ramping up. We have data on 55 scanning IPs, with indicators consistent to attacks built into Cayosin. Based on data from the threat actors, the bot count is over 1,100 as of February 2nd.
Cayosin appears to be created by Erradic, of RyM Tradgedy. Accounts (spots) for Cayosin Botnet are being sold via Instagram by @unholdable and @pumperdumper. A YouTube demo of Cayosin was posted two days after the scanning began. If you watch their Instagram stories, you can get frequent updates on Cayosin’s growth.
Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference a second stage binary hosted at 185.244.25[.]241 – an IP address not observed among the 55 IPs scanning with the first stage exploit.
http://185.244.25[.]241/bins/cock.mpsl
http://185.244.25[.]241/bins/cock.x86
Based on reverse engineering of the binaries that unixfreaxjp posted to Imgur, we understand that the codebase of Cayosin shares characteristics with Torlus/Qbot/Lizkebab. 185.244.25[.]241 was scanning, but primarily for open telnet services. 185.244.25[.]241 is a Netherlands VPS that is serving two binaries we recovered. Once the second stage infection is executed on a vulnerable host, the host will reach out to hostnamepxssy[.]club.
On January 26, 2019, we saw a change in behavior and some of the IPs were scanning with a new user-agent, “Cock/2.0” instead of “Cayosin/2.0”. This change in behavior may have something to do with a customer service dispute that led to the source code of Cayosin being posted on pastebin. We were unable to find that pastebin post, but it could have prompted a new build of the botnet.
This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.
User-Agents
- Cayosin/2.0
- Cock/2.0
First stage IPs
- 101.255.95[.]34
- 103.102.133[.]11
- 103.113.156[.]46
- 103.24.104[.]98
- 103.62.152[.]58
- 104.185.20[.]41
- 113.11.154[.]162
- 114.108.229[.]59
- 115.127.103[.]132
- 115.127.103[.]139
- 115.127.5[.]244
- 117.102.69[.]124
- 117.102.69[.]125
- 117.102.69[.]126
- 118.97.55[.]101
- 119.40.84[.]155
- 119.73.133[.]87
- 120.28.151[.]44
- 120.29.125[.]194
- 121.235.3[.]65
- 121.7.226[.]57
- 122.117.162[.]61
- 122.144.11[.]195
- 122.96.208[.]32
- 125.165.180[.]211
- 144.202.60[.]94
- 152.169.218[.]80
- 162.244.80[.]47
- 162.244.81[.]232
-163.172.91[.]156
- 175.106.11[.]179
- 176.152.38[.]195
- 185.105.4[.]172
- 185.105.4[.]183
- 185.244.25[.]201
- 190.6.141[.]59
- 202.162.204[.]36
- 202.86.222[.]4
- 203.129.22[.]119
- 203.160.63[.]125:
- 203.177.173[.]46
- 219.74.127[.]169
- 223.197.212[.]15
- 36.37.220[.]57
- 36.66.16[.]117
- 36.89.106[.]19
- 45.124.15[.]48
- 46.8.209[.]105
- 58.212.57[.]219
- 65.127.187[.]7
- 67.205.154[.]69
- 74.93.73[.]169
- 83.208.108[.]189
- 85.197.162[.]91
- 95.27.246[.]66
Second stage IP
185.244.25[.]241
C2 Domain
hostnamepxssy[.]club
Binary info
cock.x86 (ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped)
md5 - 7cd9788dd9a5e97ca2e0a0480d4c377a
sha256 - e5173e4e4a1044858a14002a45507bb75772b21ceb348488bef465c2d22b791d
cock.mpsl (ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV))
md5 - 283d4888af0d820ba1d6f72e586a8410
sha256 - 96ecc0e9b9e6f4f0275c4041e128d5ee87b51148e0e74b0379ece5edebb22792We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Threat Report Wednesday January 30th 2019
Share this on:
Subscribe to our blog