Home Malware Programs Botnets LiquorBot

LiquorBot

Posted: January 13, 2020

LiquorBot is a Trojan botnet or a network of decentralized Trojans on infected machines. As a ported version of the Mirai Botnet, it targets similar IoT or Internet-of-Things devices, including home users' routers, for mining cryptocurrency. Users should reset their devices to factory settings and employ anti-malware solutions for protecting associated PCs and hardware for any threats related to LiquorBot requiring removal.

An Old Vintage Getting Reinvigorated Twice Over

The Mirai Botnet, a notorious Internet-of-Things networking infection, is to botnets as Hidden Tear is to file-locking Trojans – a seminal ancestor of countless, free variants by numerous and unaffiliated threat actors. In 2020, honeypot servers maintained by Bitdefender caught not just one, but two versions of the Mirai Botnet's code receiving their installations together through corrupted scripts. The LiquorBot is the most notable of these threats due to being a complete port of Mirai Botnet Trojan to the Go or Golang programming language.

Due to some minor benefits over traditional C++, Golang usage is becoming more commonplace in Trojan campaigns, as seen in incidents like the attacks of Sednit, Zebrocy Go or the r2r2 worm. LiquorBot also takes advantage of a flexible structure that supports more environments than most threats, such as x86, x64, MIPS and ARM. The most vulnerable devices for LiquorBot infections are routers and IoT-compatible cameras, which are at risk from the brute-force SSH and, in rarer cases, software vulnerability tactics that the Trojan leverages.

LiquorBot uses a CPU-based method of conducting its primary purpose: mining cryptocurrency. Like the MyKings Botnet, Graboid, and other competitors in the same field, LiquorBot prefers Monero over Bitcoin, due to current market values and the low resource intensity of the associated mining functionality. Users should note that while the LiquorBot Trojan doesn't compromise any related PCs directly, malware researchers do confirm a general-purpose, file-downloading feature that could elevate the infection's danger level.

Staying on the Wagon with IoT Security

Despite the sophistication of LiquorBot's porting and updates from the old Mirai Botnet, businesses and individuals can put forth primary defenses that work well against its automated distribution model. Updating software with their latest patches will close out many of the vulnerabilities that newer versions of LiquorBot can fall back on, such as the Belkin's Wemo CVE-2019-12780 vulnerability or the nslookup-misusing CVE-2017-6884. Proper maintenance of firewall and port settings, and responsible password implementation, will counter the Trojan's brute-force techniques.

Most users shouldn't attempt detecting LiquorBot infections by eye. The victim-side Trojan includes a stage that removes file-based evidence of the intrusion, as well as Linux and macOS bash history. As a further complication, Monero mining can be a lightweight activity, and some of the usual symptoms of a mining Trojan, such as performance issues, might not be present.

Users should follow manufacturer recommendations on resetting any devices compromised by LiquorBot, and malware experts recommend fully patching and changing passwords additionally. Anti-malware tools should analyze other, vulnerable systems for possible threats related to the LiquorBot attack.

LiquorBot is a fairly sizable investment in programming time for its threat actor. However, since it's also coming to the world with another Mirai Botnet offshoot simultaneously, the criminals are hedging their bets – which can't mean anything good for the Internet-of-Things.

Loading...