Uptycs’ threat research team alerts about a new botnet called Simps botnet. It is attributed to Keksec group known for specializing in DDOS attacks.
Attackers downloaded the Simps Botnet binaries via shell script sample by using Remote Code Execution vulnerability exploits by Gafgyt.
The cybersecurity team presents the following observations:
- For DDOS functionality Simps Botnet binary uses modules borrowed from Mirai and Gafgyt
- The presence of the infected.log file after execution may indicate that the Botnet is in the early stages of development
- The author of this Botnet runs a Youtube channel and Discord Server where they demonstrate usage and operation of the Botnet
- Based on the time of Youtube video from the channel and the historical data Uptycs determined that Simps Botnet has been active since at least April 2021
- Based on the Discord server discussions and threat intel data Uptycs says Simps Botnet is associated with Keksec group
The full analysis published by the cybersecurity firm covers details on the discovery, threat intelligence data, attribution to Keksec group, the binaries and the code similarity, and reuse modules of Simps Botnet.
The Uptycs’ threat research team detected the Botnet during the first week of May 2021, when they found a shell script and Gafgyt malware downloading Simps binaries from the same C2- 23.95.80[.]200 used for DDOS activities.
Using Uptycs’ EDR, threat intelligence data and Open-source intelligence (OSINT) the researchers managed to establish relations and attribute Simps Botnet to the Keksec group.
The Uptycs threat research team says it has reported the Discord server, Youtube, and Github links associated with the attacker to the corresponding companies. As this is an ongoing campaign, the team will continue monitoring the activities of this group and post updates on the firm’s blog.