Full Report
Botnets are becoming more sophisticated and accessible. DDoS attacks, cryptocurrency mining and data theft are just a few examples of botnet capabilities.
Analysis Summary
# Tool/Technique: 911 S5 Botnet
## Overview
The 911 S5 botnet was described as the largest known botnet worldwide before it was dismantled in 2024. It operated by leveraging hijacked residential proxy resources, primarily spread through infected Virtual Private Network (VPN) applications.
## Technical Details
- Type: Malware Infrastructure/Botnet
- Platform: Primarily Windows/Desktop (implied by infection vectors, though target devices could be varied)
- Capabilities: Proxy services, large-scale proxy access, deployment via popular VPN software.
- First Seen: Information refers to its activity leading up to its dismantlement in 2024.
## MITRE ATT&CK Mapping
Botnets generally map broadly across several stages, but the primary capabilities often relate to Command and Control and Collection/Impact.
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 or data exfiltration)
- T1573 - Encrypted Channel
- T1573.001 - Symmetric Cryptography (Implied for C2 resilience)
## Functionality
### Core Capabilities
- Provided massive residential proxy infrastructure, reaching approximately 19 million active bots across 190 countries at its peak.
- Served as a distribution platform for other malicious activities, likely including data theft, ransomware distribution, and botnet recruitment.
### Advanced Features
- Relied heavily on infecting popular VPN applications for initial access and distribution, including **MaskVPN, DewVPN, and ShieldVPN**.
- The size and global reach made it a significant source of anonymized traffic for diverse criminal operations.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text, but associated with infected VPN installers]
- Registry Keys: [Not specified in the text]
- Network Indicators: The infrastructure itself served as the indicator, leveraging numerous compromised residential IPs globally.
- Behavioral Indicators: Observed proliferation via installation/use of specific named VPN clients.
## Associated Threat Actors
- The administrator of the 911 S5 botnet was arrested in a coordinated international operation in 2024. Threat actors associated with large-scale cybercrime benefiting from proxy access.
## Detection Methods
- [Not specified in the text regarding internal detection mechanisms]
## Mitigation Strategies
- Removal/avoidance of suspicious or unknown VPN/proxy software.
- Network monitoring to detect anomalous high-volume traffic originating from residential IPs being used as proxies.
## Related Tools/Techniques
- Proxy/Botnet services used for infrastructure deployment.
***
# Tool/Technique: Eleven11bot Botnet
## Overview
The Eleven11bot botnet is a newer or specialized botnet notable for its narrow target scope, focusing exclusively on devices running specific vulnerable software combinations.
## Technical Details
- Type: Malware Infrastructure/Botnet (Specialized)
- Platform: HiSilicon-based devices running TVT-NVMS9000 software.
- Capabilities: Exploitation of a single vulnerability to gain control over IoT/surveillance devices.
- First Seen: Recent discovery mentioned in the context of 2024 botnet activity.
## MITRE ATT&CK Mapping
The focus on specific IoT software points toward initial access and exploitation, likely leveraging known vulnerabilities in IP camera or NVR software.
- T1190 - Exploit Public-Facing Application (If targeting the NVMS software remotely)
## Functionality
### Core Capabilities
- Exploits a specific, singular vulnerability present in HiSilicon-based devices running TVT-NVMS9000 software.
- Used to build a focused army of compromised IoT devices.
### Advanced Features
- Limited composition due to extreme specialization, relying on the continued existence of devices running the targeted software installation.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text]
- Registry Keys: [Not applicable/specified for IoT firmware]
- Network Indicators: Compromised devices communicating via C2 protocols specific to the exploitation method.
- Behavioral Indicators: Command and control traffic originating from targeted types of network devices.
## Associated Threat Actors
- Unknown specific group cited, but typical of threat actors targeting IoT devices for large-scale attack participation (e.g., DDoS).
## Detection Methods
- Network scanning for devices running the TVT-NVMS9000 software on vulnerable configurations.
## Mitigation Strategies
- Immediately update or patch TVT-NVMS9000 software on HiSilicon-based devices.
- Network segmentation to isolate IoT infrastructure.
## Related Tools/Techniques
- Mozi Botnet (mentioned due to code similarity, suggesting shared origins or inspiration for exploitation).
***
# Tool/Technique: Phorpiex Botnet
## Overview
Phorpiex is a long-standing botnet, active for over a decade, that primarily functions as a downloader and distributor for other significant malware, most notably ransomware (e.g., LockBit-branded campaigns) and spam/sextortion operations. It has shown resilience by evolving away from traditional C2 structures.
## Technical Details
- Type: Malware Family/Botnet Infrastructure (Downloader/Distributor)
- Platform: Varied, capable of operating across different environments based on payloads delivered.
- Capabilities: Spam distribution, ransomware deployment, delivery of secondary malware payloads, sextortion campaign support.
- First Seen: Active for over a decade; present iteration involved in 2024 activity.
## MITRE ATT&CK Mapping
Phorpiex's operations span initial delivery, command and control, and execution of secondary threats.
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivery via spam campaigns)
- T1105 - Ingress Tool Transfer (Downloading and delivering secondary payloads like ransomware)
- T1560.001 - Archive via Utility (Relevant if used in spam/deception)
## Functionality
### Core Capabilities
- Massive volume-based spam campaigns used for initial distribution.
- Effective delivery mechanism for ransomware payloads, evidenced by 2024 LockBit campaigns.
- Supporting sextortion operations, leveraging harvested information (e.g., passwords from compromised applications like Zoom).
### Advanced Features
- Resilient C2 structure: Developed and utilized a peer-to-peer (P2P) mode (as the 'Trik' or 'Twizt' variant) to remove reliance on centralized C2 servers, increasing survivability.
- Continuous iteration focused on improving spam distribution and payload delivery efficiency.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text]
- Registry Keys: [Not specified in the text]
- Network Indicators: C2 communication patterns associated with Phorpiex variants, particularly those initiating P2P connections.
- Behavioral Indicators: Mass outbound email activity designed for bulk distribution; processes initiating connections to download executable payloads post-infection.
## Associated Threat Actors
- Actors involved in large-scale ransomware campaigns (e.g., linked to LockBit in 2024).
## Detection Methods
- Signature detection for known Phorpiex binaries and variants.
- Behavioral detection for large-scale unsolicited mass email generation originating from compromised endpoints.
## Mitigation Strategies
- Strong email filtering and anti-spam measures.
- Patching applications vulnerable to credential harvesting (like Zoom flaws exploited historically).
- Utilizing next-generation endpoint protection capable of blocking unauthorized file execution following high-volume attachment analysis.
## Related Tools/Techniques
- Ransomware distribution mechanisms; P2P malware architectures.
***
# General Botnet Trends and Activity Summary
## Overview
Botnet activity in 2024 demonstrated significant growth in capability and scale. Key trends include specialization, increased sophistication in evasion, commercialization (Botnet-as-a-Service), and convergence of multiple attack vectors.
## Technical Details
- Type: Collective Threat Landscape/Activity Trend
- Platform: Diverse (PCs, servers, IoT, mobile)
- Capabilities: DDoS amplification, data theft, ransomware distribution, cryptojacking.
- First Seen: Trends observed across 2024 measurements.
## MITRE ATT&CK Mapping
Collective botnet activity often focuses on network disruption and resource abuse.
- T1498 - Network Denial of Service
- T1498.004 - Infrastructure Denial of Service (Targeting web applications/services)
- T1486 - Data Encrypted for Impact (Ransomware distribution)
- T1059 - Command and Scripting Interpreter (Used for remote execution on compromised nodes)
## Functionality
### Core Capabilities
- DDoS attack volume increased by 53% in 2024 vs. 2023.
- Largest recorded DDoS attack peaked at 1.14 Tbps (65% higher than the previous record).
- Largest detected botnet in 2024 grew to 227,000 devices (up from 136,000 in 2023), attributed to proliferation in developing nations with outdated devices.
### Advanced Features
- 8% increase in multi-vector attacks, indicating greater operational complexity designed to overwhelm defenses simultaneously.
- Threat actors enhance operations for redundancy and expanded reach.
## Indicators of Compromise
- **Behavioral Indicators:** Extremely high volumes of outgoing traffic (exceeding typical bandwidth), consistent pattern of specific attack vectors (DDoS, spam).
## Associated Threat Actors
- General cyber threat landscape benefiting from infrastructure consolidation (Botnet-as-a-Service customers).
## Detection Methods
- Focus shifting to advanced behavioral monitoring due to increased evasion sophistication.
- Use of specialized commercial tools like Barracuda Advanced Bot Protection for multi-vector defense.
## Mitigation Strategies
- Multi-layered defense combining technological solutions (bot protection) with human awareness.
- Regular patching of all devices, especially IoT and legacy systems, to counter threat growth related to outdated hardware.
## Related Tools/Techniques
- Ransomware, Cryptojacking, Proxy services.