Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

New Botnet Shows Evolution of Tech and Criminal Culture

Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.

When botnet-as-a-service meets social media marketing, you have a threat poised to rapidly spread. That's precisely what researchers have found in a quickly evolving botnet called Cayosin (Kay-OH-sin), which combines the most dangerous features of multiple previous botnets and makes them available to a broad audience at a low price.

When researchers at Perch were going through customer telemetry last month, they found strings they hadn't seen before. In looking through the signatures, Perch senior threat researcher Paul Scott found leads on a Reddit forum dedicated to Linux malware that showed Cayosin was "actually a custom piece of malware developed from multiple public sources," Scott explains. "So it's kind of a Frankenstein between Qbot, Marai, and a few other pieces of software. The actors kind of cobbled them all together to make a new thing."

This new thing is a botnet for hire that draws marketing and support techniques from the best of legitimate commercial activity. "They were primarily renting spots or having subscribers sign up for an account when it was still in early development, and they were charging a very low amount of money, like $5 a spot," Scott says. Since Cayosin has matured and become more full-featured, though, the developing syndicate (or individual) has raised the price.

Cayosin has been marketed through "legitimate" social media platforms rather than the Dark Web. One of the first marketing instruments was a YouTube video showing its operation. "[Then] in the comments of the YouTube video, they started talking about an Instagram account that was selling it," Scott says.

The Instagram account of a user called "unholdable" contains multiple articles and videos explaining how to lease space on the Cayosin botnet, how to best use the malware, and how to purchase source code for the original version of the botnet software. "You can kind of see the development of not only Cayosin but other tools that this threat actor has published" in the Instagram posts, Scott says.

Following the social media accounts led researchers to the additional malware and botnets, including Yowai, a botnet described by researchers at Trend Micro. And tThe social media accounts are allowing the developer of Cayosin to engage in market research and customers support on a commercial scale.

"If you were to click on [the post], you can see that he's like, 'Hey, can you give me some feedback on the service I've been providing to you?'" Scott says. "I mean, he's very good on customer service — top notch — and his marketing game and advertising is on point. I mean, he is letting everybody see everything through the Instagram Stories that he's publishing here."

Cayosin is evolving in both its ability to infect new systems and the payloads it can distribute, he adds. "It's got a lot of different vulnerabilities packaged into it. It is looking for vulnerabilities in Linux Web servers, Internet of Things devices, and a number of routers," Scott says.

With the evolution comes increasing business success. "This is just the newest iteration, and they're actually starting to build up a following and a real service and business for their customers," he says. "As each of these tools gets burned out because everybody learns the infrastructure, they just republish it under a new name."

While Cayosin has primarily been used to launch distributed denial-of-service (DDoS) attacks, Scott says the evolving payloads show it's beginning to see action as a tool for exfiltrating sensitive information, stealing credentials, and other activities that may have a greater economic impact than simple DDoS.

While an individual attack using the new botnet may have an impact, Scott indicates that the greater threat may come from the new business model Cayosin represents. "There's a whole culture here," he says. "So this is a generation that's very comfortable with social media. They're just making it part of their infrastructure. We're moving out of the Darknet and into the light."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jablaa
50%
50%
jablaa,
User Rank: Apprentice
2/11/2019 | 1:41:06 PM
Cayosin Botnet moving forward
I am in contact with the owner, Erradic, and he is not looking to implement anything other than DDoS methods and the like. Thanks, Jablaa
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
CVE-2019-20900
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
CVE-2019-20897
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...