Hide N Seek Botnet Return

Community Team Member

Hide N Seek is back with a vengeance, adding two new exploits to its menacing family of malware. See how Palo Alto Networks customers are protected. Be sure you're protected, and track the malware family, too. Got Questions? Get Answers here on LIVEcommunity.

 

Executive Summary

The Hide ‘N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.

Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).

 

 

Twitter post by Unit 42 on Hide 'N Seek BotnetUnit 42 shares the latest on Hide N Seek botnet.

This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits: CVE-2018-20062, which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.

While the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined below, shows that the Hide ‘N Seek botnet incorporated this exploit back in February 2019, even before the DDG botnet.

 

Technical Analysis

This newest version of the Hide ‘N Seek malware incorporates many of the previously seen features of the malware family including the persistence, the incorporation of exploits, and targeting Android devices via ADB.

In addition to exploits previously used by the malware family, this particular version is unique for its use of two new exploits.

 

Palo Alto Networks customers are protected by:

  • WildFire, which detects all related samples with malicious verdicts.
  • Threat Prevention, which blocks all exploits used by this variant.

The malware family can be tracked in AutoFocus using the tag HideNSeek.

 

Learn more here:

https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-r...

 

Excerpted from a post bRuchna Nigam,

Palo Alto Networks Unit 42

 

..........................................................................................................................................................................................

 

While taking aim against the exploits of Hide 'N Seek, be sure to take in the latest cybercrime drama from Netflix, Unit 42. Yep.

 

Glue yourself to the tube and tell us what you think.

 

Ryan Olson Unit 42 Tweet.png

 

Vicky Ray Unit 42 Tweet.pngWill the real Unit 42 please stand up?

Well, we know who the real Unit 42 is - find them hard at work, protecting our digital way of life here on Twitter:

@Unit42_Intel

1,194 Views
Ask Questions Get Answers Join the Live Community
Labels