Home Malware Programs Botnets DoubleGuns Botnet

DoubleGuns Botnet

Posted: June 1, 2020

The DoubleGuns Botnet is a threat that operates in China exclusively, and cybersecurity researchers suspect that it might have infected over 100,000 computers during the peak of its activity. The payloads that the DoubleGuns Botnet delivers have been changed multiple times, and it is not yet clear whether the botnet's original authors are spreading their own malware, or if they are offering paid propagation services to other cybercriminals in the region. The initial infection with the DoubleGuns Trojan usually occurs when Chinese users try to download and install a pirated game that was advertised on various social media sites and forum boards popular in China – this appears to be the malware propagation technique that DoubleGuns Botnet's authors prefer.

Once active, the DoubleGuns Botnet would complete one of the following routines on infected the machines:

  • Install a rootkit or a fake corrupted driver that would contain a piece of malware. Usually, the botnet gang focuses on collecting credentials from various applications, but they seem to emphasize on gaming platforms like Steam.
  • The DoubleGuns Botnet can be used for click-fraud – it can inject advertisements in Web browsers, or hijack the victim's QQ account to send private spam messages to their friends.
  • Last but not least, the DoubleGuns Botnet could redirect the users whenever they try to access specific e-commerce sites.

Cybersecurity researchers in China were able to disrupt DoubleGuns Botnet's activity temporary by identifying the trick that the hackers used to feed commands to their bots – infected machines would download a specially crafted image hosted on the public Tieba service. The botnet payload was able to extract the attacker's instructions from the image, and then execute them – by taking down the images used to control the DoubleGuns Botnet, experts have been able to slow down its activity for now.

Loading...