Botconf 2023

What does a botnet do when it gets bored? Make every infection second count – even if it means to use the infection time for brute forcing.
This presentation aims to show a complete sandbox infection cycle, which started with a seemingly Gamarue infection and end up with an automated horizontally brute forcing malware and more than 4000 WordPress sites targeted.

By performing an in-depth network traffic analysis of a 15 days network capture, the talk will unveil how this botnet works, in particular:

• A detailed timeline of the infection
• Different command and control channels identified and different usages
• Characteristics of the horizontal brute forcing and how it is actually performed
• The uncovered infrastructure of the botnet
• Network IOCs for identifying the threat
• A short analysis of the targeted sites – who’s been targeted and commonalities among them