VPNFilter is a botnet that compromised over 500,000 routers/IoT devices in at least 54 countries around the world.
Brain Food is a PHP script botnet discovered by Proofpoint researchers spreading through phishing campaigns and has already compromised over 5,000 websites. The threat actor sends the victim a spam email containing a shortened URL link. After the link is clicked, the victim is redirected to a landing page that advertises diet pills using stolen branding to make the website appear legitimate. The page attempts to trick users into providing PII information to threat actors. The malicious PHP script runs in the background of the website, going unnoticed by anti-virus/anti-malware engines due to its polymorphic nature and obfuscated code. In addition to information-stealing, the malware contains a backdoor that could allow the threat actor to perform remote code execution on infected web servers.
Reporting and Technical Details:
May 2018: Brain Food botnet gives website operators heartburn (Proofpoint)
Image source: SC Magazine
Discovered in 2018 by Radware researchers, JenX is a botnet that advertises the ability to perform the query floods, attacks against NFO gaming servers, attacks against OVH, and attacks against TeamSpeak3 (TS3), an app used for voice and text chat. JenX also boasts the ability to perform DDoS attacks that reach over 1 terabyte per second (Tbps).
Smominru is a botnet that, at the time of writing, is mostly comprised of over 526,000 Windows computers, which are primarily Windows servers. Although it has been observed delivering a variety of malware to vulnerable system such as Mirai DDoS malware and other trojans, its primary function is to generate profit for its operator(s) by mining cryptocurrency on infected systems.
Researchers at NewSky Security discovered Masuta, a malware family developed from the source code of Mirai and likely developed by the creator of Satori known as "Nexus Zeta." From Masuta, a second version was created, dubbed PureMasuta, which leverages a flaw in the HNAP protocol in D-Link routers that was originally identified in 2015.
F5 threat researchers discovered a new cryptocurrency-mining malware targeting Linux systems via the SSH protocol. This malware is written in the Python scripting language and is designed to infect systems and join them together in a botnet, dubbed PyCryptoMiner, for the purpose of mining Monero cryptocurrency.
WireX is a large botnet that leverages Android-powered mobile devices to perform distributed denial-of-service (DDoS) attacks on targets. Network traffic generated by WireX was discovered by researchers on August 2, 2017 and the source of the malware infections that formed the botnet was traced to approximately 300 mobile apps available for download on the Google Play Store.