SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.mrblack (Back to overview)

MrBlack

aka: AESDDoS, Dofloo

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

References
2021-12-19BleepingComputerBleepingComputer
@online{bleepingcomputer:20211219:exposed:333be0a, author = {BleepingComputer}, title = {{Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware}}, date = {2021-12-19}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/}, language = {English}, urldate = {2023-07-24} } Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware
MrBlack
2017-11-17LloydLabsLloyd Davies
@online{davies:20171117:part:cf7e1c8, author = {Lloyd Davies}, title = {{[Part 1] - Analysing the New Linux/AES.DDoS IoT Malware}}, date = {2017-11-17}, organization = {LloydLabs}, url = {https://blog.syscall.party/post/aes-ddos-analysis-part-1/}, language = {English}, urldate = {2023-07-24} } [Part 1] - Analysing the New Linux/AES.DDoS IoT Malware
MrBlack
2015-12-03360 Internet Security CenterYa Liu
@techreport{liu:20151203:automatically:7e1f412, author = {Ya Liu}, title = {{Automatically Classifying Unknown Bots by The REGISTER Messages}}, date = {2015-12-03}, institution = {360 Internet Security Center}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf}, language = {English}, urldate = {2023-07-24} } Automatically Classifying Unknown Bots by The REGISTER Messages
MrBlack XOR DDoS DarkShell
2015-09Virus BulletinPeter Kálnai, Jaromír Hořejší
@techreport{klnai:201509:ddos:21c35c6, author = {Peter Kálnai and Jaromír Hořejší}, title = {{DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT}}, date = {2015-09}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf}, language = {English}, urldate = {2023-08-31} } DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT
Bashlite MrBlack XOR DDoS BillGates
2014-05-15Dr.WebDr. Web
@online{web:20140515:ddos:42ce265, author = {Dr. Web}, title = {{DDoS Trojans attack Linux}}, date = {2014-05-15}, organization = {Dr.Web}, url = {https://news.drweb.com/?i=5760&c=23&lng=en}, language = {English}, urldate = {2019-07-11} } DDoS Trojans attack Linux
MrBlack

There is no Yara-Signature yet.