Make It count: An analysis of a brute-forcing botnet
What does a botnet do when it gets bored? Make every infection second count – even if it means to use the infection time for brute forcing.
This presentation aims to show a complete sandbox infection cycle, which started with a seemingly Gamarue infection and end up with an automated horizontally brute forcing malware and more than 4000 WordPress sites targeted.
By performing an in-depth network traffic analysis of a 15 days network capture, the talk will unveil how this botnet works, in particular:
- A detailed timeline of the infection
- Different command and control channels identified and different usages
- Characteristics of the horizontal brute forcing and how it is actually performed
- The uncovered infrastructure of the botnet
- Network IOCs for identifying the threat
- A short analysis of the targeted sites – who’s been targeted and commonalities among them
![]() |
![]() |
![]() |