Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

New Botnet Shows Evolution of Tech and Criminal Culture

Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.

When botnet-as-a-service meets social media marketing, you have a threat poised to rapidly spread. That's precisely what researchers have found in a quickly evolving botnet called Cayosin (Kay-OH-sin), which combines the most dangerous features of multiple previous botnets and makes them available to a broad audience at a low price.

When researchers at Perch were going through customer telemetry last month, they found strings they hadn't seen before. In looking through the signatures, Perch senior threat researcher Paul Scott found leads on a Reddit forum dedicated to Linux malware that showed Cayosin was "actually a custom piece of malware developed from multiple public sources," Scott explains. "So it's kind of a Frankenstein between Qbot, Marai, and a few other pieces of software. The actors kind of cobbled them all together to make a new thing."

This new thing is a botnet for hire that draws marketing and support techniques from the best of legitimate commercial activity. "They were primarily renting spots or having subscribers sign up for an account when it was still in early development, and they were charging a very low amount of money, like $5 a spot," Scott says. Since Cayosin has matured and become more full-featured, though, the developing syndicate (or individual) has raised the price.

Cayosin has been marketed through "legitimate" social media platforms rather than the Dark Web. One of the first marketing instruments was a YouTube video showing its operation. "[Then] in the comments of the YouTube video, they started talking about an Instagram account that was selling it," Scott says.

The Instagram account of a user called "unholdable" contains multiple articles and videos explaining how to lease space on the Cayosin botnet, how to best use the malware, and how to purchase source code for the original version of the botnet software. "You can kind of see the development of not only Cayosin but other tools that this threat actor has published" in the Instagram posts, Scott says.

Following the social media accounts led researchers to the additional malware and botnets, including Yowai, a botnet described by researchers at Trend Micro. And tThe social media accounts are allowing the developer of Cayosin to engage in market research and customers support on a commercial scale.

"If you were to click on [the post], you can see that he's like, 'Hey, can you give me some feedback on the service I've been providing to you?'" Scott says. "I mean, he's very good on customer service — top notch — and his marketing game and advertising is on point. I mean, he is letting everybody see everything through the Instagram Stories that he's publishing here."

Cayosin is evolving in both its ability to infect new systems and the payloads it can distribute, he adds. "It's got a lot of different vulnerabilities packaged into it. It is looking for vulnerabilities in Linux Web servers, Internet of Things devices, and a number of routers," Scott says.

With the evolution comes increasing business success. "This is just the newest iteration, and they're actually starting to build up a following and a real service and business for their customers," he says. "As each of these tools gets burned out because everybody learns the infrastructure, they just republish it under a new name."

While Cayosin has primarily been used to launch distributed denial-of-service (DDoS) attacks, Scott says the evolving payloads show it's beginning to see action as a tool for exfiltrating sensitive information, stealing credentials, and other activities that may have a greater economic impact than simple DDoS.

While an individual attack using the new botnet may have an impact, Scott indicates that the greater threat may come from the new business model Cayosin represents. "There's a whole culture here," he says. "So this is a generation that's very comfortable with social media. They're just making it part of their infrastructure. We're moving out of the Darknet and into the light."

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
jablaa
50%
50%
jablaa,
User Rank: Apprentice
2/11/2019 | 1:41:06 PM
Cayosin Botnet moving forward
I am in contact with the owner, Erradic, and he is not looking to implement anything other than DDoS methods and the like. Thanks, Jablaa
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.