New 'JenX - Los Calvos de San Calvicie' IoT botnet taps into hosted servers to infect victims

Yet another IoT botnet found

Cyber security researchers have discovered a new botnet that is recruiting Internet of Things (IoT) devices and targeting hosted services in a bid to infect victims.

Security specialists at Radware believe that the attackers are tapping into two publicly released botnet vulnerabilities, including CVE-2014-8361 and CVE-2017-17215.

They originate from the Satori botnet, which continues to launch attacks on targets around the world. The vulnerabilities also take code from a public post that was written by Janit0r, author of BrickerBot.

BrickerBot was an attempt to take off-line devices infected with Mirai in a bid to prevent such devices from being deployed in distributed denial of service (DDoS) attacks.

It is thought that the new malware is using techniques similar to PureMasuta. Recently, the latter's source code was published on the so-called dark web.

"Our investigation led us to a C2 [command and control] server hosted under the domain ‘sancalvicie.com' of which the site provides GTA San Andreas multi-player mod servers with DDoS services on the side," said the researchers.

The security specialists explained that it "provides a multi-player gaming service for GTA San Andreas and explicitly mentions the protection against Source Engine query and other DDoS floods".

There is also a so-called Corriente Divina (or "divine stream") option. It presents the following description: "God's wrath will be employed against the IP [address] that you provide us."

Deceiving users, it uses a DDoS service with a bandwidth of 90-100Gbps and can launch attacks on a range of services.

The company warned that the botnet is also capable of attacking TS3 scripts and a "Down OVH" option, which it believes "most probably refers to attacks targeting the hosting service of OVH".

OVH is a popular cloud hosting provider and was one of the first victims of the Mirai attacks, which took place in 2016. The service is popular among Minecraft gamers.

Pascal Geenens, who compiled these findings into a blog post, explained that the DDoS attack service description kept changing. This suggested that the cyber crooks were constantly upgrading their service.