Home Malware Programs Botnets Tsunami Botnet

Tsunami Botnet

Posted: December 3, 2020

The Tsunami Botnet has been active for several months, and its operators seem to be introducing new payloads and infection vectors regularly. The Tsunami Botnet campaign's latest variant goes after Docker instances, vulnerable Oracle WebLogic servers, and Redis instances. It also seems that the Tsunami Botnet now supports SSH credentials brute-forcing, which might be used to spread laterally once a network has been infiltrated.

The Tsunami Botnet's attack carries out additional tasks to gain persistence, as well as to eliminate the competition. For example, it scans the list of running processes for names belonging to popular cryptocurrency miners or malware and then terminates them. This way, it ensures that all available hardware resources will be utilized by the Tsunami Botnet's mining component. The Tsunami Botnet malware also can download and run Python scripts, therefore providing the attacker with the ability to perform plenty of other operations on the infected system.

Tsumani Botnet Evolves to Use Alternative Infection Vectors

The cryptocurrency mining module the Tsunami Botnet uses is not surprising. The criminals are once again using a modified variant of the XMRig miner to mine for Monero (XMR.) The payload of the Tsunami Botnet and the miner are available for both x86 and x64 architecture, therefore ensuring that the criminals will be able to infect more systems. It also is important to add that the Tsunami Botnet targets Linux servers exclusively, and, so far, it has been going after Docker and Oracle WebLogic servers exclusively. While the code for exploiting Redis and SSH brute-forcing is present, it has not been used yet.

Since the Tsunami Botnet relies on exploiting weak login credentials and outdated software, the best way to protect your systems from it is to update all Internet-connected software, as well as to make sure to use strong login credentials. Of course, it also would be helpful to install a reputable anti-virus product.

Loading...