TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution

2020-03-03 · Read original ↗

ATT&CK techniques detected

10 predictions
T1505.003Web Shell
98%
“and control the tuyul - infected victims : injecting a web shell or connecting the server to an irc server and joining a botnet. the following sections describe both. method # 1 : gaining access by injecting a web shell the attacker uses a number of different php web shells to ga…”
T1584.005Botnet
90%
“f5 researchers will remain engaged with this botnet and will report on any future findings. conclusion this new campaign shows that botnets continue to be a threat to organizations and have a variety of uses, ranging from irc bots to shopping bots to crypto mining. those interest…”
T1059.004Unix Shell
86%
“first stage of the infection instructs the server to download a bash script dropper ( see figure 11 ). the dropper instructs the server to download a compiled perl binary and execute it on the system. if it is unsuccessful, it then tries to download an uncompiled version of the f…”
T1584.005Botnet
83%
“script, it is difficult to determine the intentions of the bot master. unlike previous well - known irc bots, where commands had more specific descriptions such as ddos or crypto mining capabilities, tuyul bot has only general - purpose commands. while monitoring the botnet, we d…”
T1584.005Botnet
83%
“new perl botnet ( tuyul ) found with possible indonesian attribution on january 15, 2020, f5 threat researchers detected a new campaign targeting vulnerable phpunit systems ( cve - 2017 - 9841 ) that tries to install an internet relay chat ( irc ) bot. the bot, called tuyul, crea…”
T1059.004Unix Shell
80%
“persistent on the system, the malware periodically downloads a bash script named cron, which ensures that the tuyul script is still installed ( see figure 14 ). figure 14. a bash script checking that the tuyul script is still running it also detects and kills rival processes of o…”
T1059.004Unix Shell
66%
“. - we continue to see this bot being actively worked on and we expect it to continue to grow. f5 researchers will remain engaged with this botnet and will report on any future findings. technical details first, we discuss some details of the malware itself and then the compositi…”
T1105Ingress Tool Transfer
52%
“first stage of the infection instructs the server to download a bash script dropper ( see figure 11 ). the dropper instructs the server to download a compiled perl binary and execute it on the system. if it is unsuccessful, it then tries to download an uncompiled version of the f…”
T1059Command and Scripting Interpreter
36%
“default time method # 2 : gaining access via an irc botnet the second infection method connects the victim ’ s server to an irc botnet. the malware is written in perl, and this makes it worth thinking about. in the past, perl was a popular language for writing attack tools. since…”
T1583.005Botnet
30%
“f5 researchers will remain engaged with this botnet and will report on any future findings. conclusion this new campaign shows that botnets continue to be a threat to organizations and have a variety of uses, ranging from irc bots to shopping bots to crypto mining. those interest…”

Summary

Tuyul bot targets vulnerable PHPUnit systems to install an Internet Relay Chat (IRC) bot.