Microsoft on Thursday identified a cross-platform botnet designed to launch distributed Denial-of-Service (DDoS) attacks against private Minecraft servers. The botnet, called MCCrash, is distinguished by a unique spreading mechanism. It can spread to Linux-based devices even though it originated from malicious software downloaded on Windows hosts.
The company reported that the botnet spreads via enumerating default passwords on internet-exposed Secure Shell devices (SSH-enabled). These devices could be vulnerable to attacks like this botnet because IoT devices can be remotely configured with potentially insecure settings.
This means malware can persist on IoT devices, even after being removed from the infected source computer. The cybersecurity division of the tech giant is monitoring the activity cluster under the emerging moniker DEV-1028.
Most of the infections were reported in Russia. A few cases were also reported in Uzbekistan and Ukraine. The company did not disclose the exact extent of the campaign.
The botnet’s initial infection point is a group of compromised machines infected by cracking tools claiming to offer illegal Windows licenses.
The software then acts as a conduit for executing a Python payload. It contains core features of the botnet, such as scanning for SSH-enabled Linux devices to launch a dictionary attack.
After breaching a Linux host with the propagation method, the Python payload can be deployed to execute DDoS commands. One Python payload was explicitly designed to crash Minecraft servers (“ATTACK_MCCRASH”)
Microsoft described the method as “highly efficient,” pointing out that it was likely offered underground as a service.
Researchers Maayan Shaul and Mae Dotan, Yuval Gordan, and Ross Bevington stated that this type of threat highlights the importance of organizations managing, keeping up-to-date, and monitoring not only traditional endpoints but also IoT devices that can be less secure.
These findings follow Fortinet FortiGuard Labs’s disclosure of details about a new botnet called GoTrim that has been observed forcing self-hosted WordPress websites to be hosted brute-forced.