Discovery of Geost Botnet Made Possible by Attacker OpSec Fails
upstart writes:
Submitted via IRC for SoyCow9088
Discovery of Geost Botnet Made Possible by Attacker OpSec Fails
A series of operational security (OpSec) failures on the part of attackers enabled researchers to discover the Geost botnet.
In mid-2018, Virus Bulletin researchers Sebastian Garcia, Maria Josi(C) Erquiaga and Anna Shirokova discovered Geost, one of the largest Android banking botnets known today, while analyzing another malware family called HtBot. The researchers found that HtBot converted victims into unwilling proxies that received traffic from the malware's network and then sent it to the web. While analyzing that traffic, they observed someone logging into the command-and-control (C&C) panel of what was then a previously undocumented botnet.
[...] Garcia, Erquiaga and Shirokova learned all of this and more because several OpSec failures made it possible for the researchers to access a chat log of an underground team hired by Geost's controllers. This log provided insight into the creation of Geost, the development of new features and the use of victims' stolen data. In so doing, the log also revealed just how spectacularly the Geost botmasters had failed to secure their creation.
As the researchers explained in a blog post:
Maintaining a good OpSec is difficult both for security analysts and attackers trying to hide. The discovery of the Geost botnet was possible because of several OpSec mistakes, including the use of the HtBot illegal proxy network, not encrypting their command-and-control servers, re-using security services, trusting other attackers with less OpSec ,and [sic] not encrypting their chat sessions.
Read more of this story at SoylentNews.