![]() ![]() We reverse engineered the Bunitu command and control (C2) protocol and developed a script that mimicked the proxy registration request. In order to confirm our hypothesis regarding the Bunitu proxies we developed our own Bunitu “honeypot”. We are also sharing indicators of compromise so that end users are able to clean up their computers and no longer help to provide free exit nodes for dubious VPN services. ![]() ![]() In this article we will review the proxy mechanism and expose the underlying infrastructure used by the Bunitu botnet. A recent report from FireEye on Nigerian scammers also mentions VIP72. VIP72 appears to be a top choice for cybercriminals, as referenced on many underground forums. Malicious actions such as data theft or traffic redirection could therefore easily be performed.ĭuring our research we noticed that a VPN service called VIP72 was heavily involved with the Bunitu botnet and its proxies. Not only that, but all traffic is also unencrypted – ironic for a VPN service – and could be intercepted via a Man-In-The-Middle attack. Number of Bunitu infections in July based on telemetry data from Malwarebytes Anti-Malware. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |