MasterMana Botnet
The MasterMana Botnet is a decentralized network of Trojans that collect cryptocurrency credentials and other information for making money. Although the network's threat actor is targeting businesses, these attacks are, seemingly, opportunistic, and use phishing lures against semi-random victims. Always have dedicated anti-malware applications for removing the MasterMana Botnet's Trojans, and watch over e-mail attachments and links for possible attacks.
An Unexpected Master over Your Bitcoin Wallet
Rather than the more typical approach of mining for cryptocurrency, a newly-uncovered botnet is, instead, collecting it from the users of the machines it recruits. Although the MasterMana Botnet has possible links to the Gorgon Group threat actor of great notoriety, the network's campaign has an oddly casual approach to making money. However, some PC workers are taking an even more lax approach to their e-mail security.
The MasterMana Botnet is spreading through phishing e-mails to business addresses harvested by unknown methods. Unlike, for example, a state-sponsored phishing attack versus a diplomatic embassy, (see, for contrast, APT15 TidePool deployments), these lures may not include individually-customized disguises. More generic ones are likely such as invoices, fake office equipment messages, or resumes, particularly, in Excel spreadsheet formats.
After going through a setup routine involving abusing Pastebin text-storage resources and PowerShell scripts, the MasterMana Botnet drops one or more centerpiece Trojans. Malware researchers are emphasizing the following, especially notable threats:
- The AZORult spyware, which also circulates through a range of sources, like the STOP Ransomware family. This version of the data collector boasts more than just filching passwords. It also can offer download/upload functionality. Furthermore, it provides most of the MasterMana Botnet's data exfiltration for cryptocurrency wallets.
- RevengeRAT is an alternative to AZORult with less emphasis on collecting data and more on providing a user-friendly remote administration interface. It also appears in numerous other campaigns separately from both the MasterMana Botnet and AZORult.
However, other payloads, especially with backdoor functionality, also are possible.
Stopping Your Bitcoins from Becoming Someone Else's Mana
The modern version of the 'mana from heaven' mythic event is, arguably, making money from nothing, such as Bitcoin generation. The MasterMana Botnet's capacity for hijacking cryptocurrencies and other information worth selling is a criminal equivalent that turns others' hard work into pay for unseen attackers. Symptoms of the threats that it usually deploys are nearly nonexistent, which makes foresight and infection prevention that much more critical.
All workers using Windows environments should have basic training on phishing avoidance and common e-mail tactics. A phishing attack, usually, requires the victim's enabling a macro or, at a minimum, running an outdated, unpatched, and, therefore, unsafe document reader or similar application. Exercising well-maintained version control and, above all else, not enabling macros will help avoid most of the usual drive-by-downloads.
The MasterMana Botnet attempts keeping a low profile by using publicly-available Web resources. On the bright side, all of the threats that it employs are well-known to the cyber-security industry. Most anti-malware programs should delete the MasterMana Botnet's Trojans without difficulties.
The only thing that the MasterMana Botnet is a master of is other people's information and coins. Unlike most entities that deem themselves worthy of the title, its mastery is easily overridden by anyone who's paying attention while checking their e-mail.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.