A botnet has been cannibalizing other hackers’ web shells for more than a year
Security researchers at Positive Technologies are tracking a major botnet campaign that attacks web shells used by threat actors as part of other malware campaigns. The hackers behind the botnet previously operated a Windows Trojan called Neutrino that was used to attack desktop users. Their new campaign started in 2018 and targets web servers.
Like other botnets, Neutrino uses a variety of techniques to attack web servers. Comprised systems are infected with cryptocurrency-mining malware, which is common as well. However, the campaign differs from other botnet operations in that it also scans the web for PHP and Java web shells that have been installed on web servers by other threat actors. It then attacks these backdoors and tries to take over the shells and thereby the web servers on which they have been installed.