Security Unlocked 10.6.21
Ep 47 | 10.6.21

Untangling Botnets


Nic Fillingham: Hello, and welcome to "Security Unlocked," a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research and data science. 

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security. 

Natalia Godyla: And now let's unlock the pod. 

Nic Fillingham: Hello, the internet. Hello, listeners. Welcome to episode 47 of "Security Unlocked." I'm Nic Fillingham, joined today as always by my co-host Natalia Godyla. And today we have a returning champion. Elif Kaya is joining us again. Elif was our guest back on episode 19, where we talked about attacker email infrastructure and what that can tell us about persistent cybercriminal operations. Elif has been working on botnets. And there's been a couple of a blog posts in the last few months that have been covering these topics. Elif has had a hand in most of those. 

Nic Fillingham: So we asked Elif to come back on the podcast and give us a bit of a roundup of what's happening in the world of botnets. We talk about Phorpiex. We talk about Lemon Duck and Lemon Cat. And we talk about coin mining as the activity that these attackers are using their botnets for to obviously go and generate revenue by mining various cryptocurrencies. 

Natalia Godyla: What's super interesting to me is the fact that while these botnets are using, in many cases, older infrastructure, they are using older vulnerabilities to infiltrate, they are also using more sophisticated behavior. And in the case of Lemon Duck, you'll see that in addition to the traditional bot and mining activities, they are actually expanding their objectives to include things like stealing credentials and removing security controls and even patching vulnerabilities in order to stop other malware from entering that particular device, which to me, is just such an interesting spin on the norm for an attacker. 

Nic Fillingham: And I embarrassingly did pose the question to Elif of, hey, Elif, is there actually an upside... 

Natalia Godyla: (Laughter). 

Nic Fillingham: ...To maybe getting some of your endpoints pwned as part of a botnet if the attacker is going to break in and patch a batch of vulnerabilities (laughter)? I think the answer is no. We did get there. But I also asked the question 'cause that's what we do. We ask the tough questions here on Security Unlocked. Elif has some fantastic guidance for security professionals about how to spot a botnet that might be in your network, especially if you're someone that does run coin-mining software because the attackers are utilizing legitimate coin-mining software. So if you normally have coin mining running, you're definitely want to go and take notice just in case an attacker hasn't broken in and sort of redirected your coin-mining operation to their own wallet or to some other sort of central collection. It's a great episode - on with the pod. 

Natalia Godyla:  On with the pod. 

Nic Fillingham: Welcome back to the Security Unlocked podcast Elif Kaya. Welcome, Elif. Thanks for joining us again. 

Elif Kaya: Hi, thanks for having me, Nic. 

Nic Fillingham: Let's refamiliarize our audience with you, Elif. We first spoke to you back in early 2021 on episode 19, where you came and talked to us about tracking attacker email infrastructure. That was a great episode - very much enjoyed that chat. For those that haven't heard that episode and haven't been introduced to you, can you tell us a little bit about your role here at Microsoft? What do you do? What's your day to day look like? What are you focused on? 

Elif Kaya: Sure. I work with the Microsoft Defender 365 threat intelligence team. We do publish a lot of public-facing works alongside MSTIC, which is the most commonly known threat intelligence team within Microsoft. And we directly support the Microsoft Defender 365 product through both doing long-term threat research investigations into popular malware and botnets, which is part of what we'll talk about today, as well as doing kind of short-term FN and bug filing to help improve the products as we go forward. We also directly support the threat analytics feature, which is available through Microsoft Defender 365 in order to generally group up alerts, detections, analyst reports and other information on especially prevalent malware in the environment. 

Nic Fillingham: And is there a particular category of malware or a particular sort of set of families of malware, particular techniques that you personally focus on? Or do you go where you're needed? 

Elif Kaya: So the whole team kind of goes where they're needed. But in particular, I generally tend to focus on botnets, commodity threats, such as RATs, Trojans and phishing-delivered malware that are built with automated builders. And I focus as well on attacker infrastructure from an email angle as well, as we discussed on the last talk. So anything phishing, I may have a hand in and - as well as most things botnet related or commodity related on the team right now. And so the team kind of does break up a little bit on different focuses, but that's the part that I really enjoy because I do like to focus where there is a very large impact. 

Elif Kaya: I do have a background on blue team as well, doing security engineering. And so I know just how prevalent some of the what is generally considered lower-level or low-hanging fruit type malware is in corporate environments. And coming from the Microsoft side, it's always very interesting to see how what is - can be often perceived as a small threat can impact a very large number of users and not necessarily be reacted on as quickly. That being said, I definitely - when we need to research and investigate things like ransomware and really high impact, high volatility threats, I helped where needed. But... 

Natalia Godyla: That's fantastic. And that tees us up really nicely here. So for the topic of today's episode, we'll be covering botnets. It would be great to just start with a preliminary overview on ** 

Natalia Godyla: ******* botnets. So can you describe - what are botnets? 

Elif Kaya: Yeah. So there's kind of the historical definition of botnets, which - Microsoft actually has one that I managed to dig up from 2014, which is just that botnets are a network of compromised computers that criminals use to commit fraud, such as spreading malware, stealing information or hijacking internet search results to take you to dangerous websites. Nowadays, we would probably just call that malvertising or advertising fraud, but that's just a kind of general thing. And I also kind of looked over, before we had our talk today, on what some other organizations define botnet as, and it's all kind of that similar thing. The key components of at least a definition of botnet is that it has to be a network of computers, it connects into a controller of some kind, and it does tasks. The issue with that definition in the modern age is that most malware will perform those basic tasks at moment. 

Elif Kaya: And so currently, the definitions that you find when you kind of just search, like, what is a botnet - or you go to school for cybersecurity, which I did as well, a lot of the certification exams will also kind of give you that more basic definition, which, in practice, can be really confusing for defenders on exactly what the different actions they should take for a botnet versus other malware because we are definitely seeing more and more - especially commodity threats like RATs are really built with multiple malware inside. So the idea of something that checks into a controller and distributes other malware is becoming increasingly common as multipart malware is more common. 

Nic Fillingham: And botnets aren't a new thing. Botnets have been around for a long time. Botnets have probably been around for as long as the internet has existed. Is that true? Do we know anything - I'm putting you on the spot here, Elif, so apologies - but in terms of, like, sort of the history of this as a problem, it's not new. It's been going on for a while. 

Elif Kaya: Right. Botnet is one of the older security terms that folks will be familiar with. And I do think quite a few people outside of the security industry are familiar with the term botnet and historical kind of additional terms like bot herder, bot zombie, bot client. And so historically, it was kind of easier to point the finger at different botnets and what they were doing because there were kind of less of them in the area. But botnets are well known for lasting a very long time and being pretty resilient. 

Elif Kaya: So one of the botnets that we covered recently, Phorpiex, which recently actually did begin to shut down, had been in operation over 10 years. But it is really not unheard of for some botnets - some of which are shut down, some of which are still running - began running before 2010 and even earlier. I know that Microsoft had contributed back in 2017 to a big disruption in the Gamarue/Andromeda botnet, which I'd have to check the numbers on, but that one was also quite an old botnet. So in terms of a large number of machines coming together to help perform a denial-of-service attack or spamming or extortion, while it's hard to define the exact numbers, it's still a very large part of the cybercrime infrastructure. But especially back in the early thousands and et cetera, botnets were very well known for being what powers a lot of the spam emails and extortion emails that people receive. 

Elif Kaya: And I suppose what is not surprising but perhaps a little surprising is that it hasn't really changed since then in terms of how effective it is at it. The only, perhaps, difference in what might make botnets a little less flashy than they used to be is that it's a bit harder and you have to get a much bigger botnet in order to do what they used to be most well known for, which is denial of service. There's a lot of great technology out there making denial of service harder and harder to do, and so a lot of the botnets devoted to something like offering denial of service to attackers would be ones that are compromising Internet-of-Things devices or devices that are both easy to compromise and are in a lot higher volume than might be able to acquire through just workstation compromises. 

Nic Fillingham: Yeah, got it. That then leads me to coin mining. That's something we're definitely going to talk about - about how some of these botnets are being used. I wondered if - just while we're on the topic of fundamentals and definitions, can you hit us up with coin mining? What do we need to know about that? 

Elif Kaya: Right. So historically, botnets, like I mentioned, would be used for things like email spam, DDoS attacks, credential theft or financial theft. But nowadays, we definitely see a lot more of these secondary malware and coin mining, especially. So coin mining - when it comes to just understanding it in general, when we say coin mining, when we say mining, when we say crypto mining, we're referencing cryptocurrency mining on a machine, leveraging the machine's resources. So any machine can generally be leveraged for this, and attackers definitely make no qualms using workstations or servers. And there are some botnets that will preferentially seek out server-type applications in order to benefit from cloud scaling resources or benefit from server resources, which will, of course, be able to mine more cryptocurrency. We see a lot of miners - and again, we're using the word miner pretty colloquially here. But it's also probably a good point to mention that the presence of a miner is not necessarily the presence of malware because mining itself perhaps is considered an agnostic or a benign activity in the same way that advertising fraud - the ads themselves - may be a benign activity mainly focused on income generation. 

Elif Kaya: But when we're referring to mining malware, we're referring to malware that drops the miner. But the miner itself that it usually drops is usually open source or based off a miner that a regular user - if you or me wanted to get into the cryptocurrency market, we could download the same mining resources that these malwares commonly use. A really common one is XMRig, which is just available online, which multiple of these mining botnets will drop. And so that kind of adds to that complication in detection sometimes is because we use the word mining botnet to define the whole botnet. But the mining capability actually doesn't often come from the code of the botnet itself but more or less how they deploy it and where the money goes. But oftentimes, they won't necessarily develop their own miners. The development of the botnet will ********* 

Elif Kaya: ******** just be around how to sneakily get the miner in, how to destroy competition and how to make sure that they're generating enough income through the botnet clients. 

Elif Kaya: But, yeah, in terms of defining for coin miners, it's just the process of using computer resources in order to passively generate cryptocurrency and then report it out to wallets that are available on the internet. Additionally, on the endpoint systems, this might also include connections out to what, at first glance, might look like C2s, but they might actually be mining pools that the computer is checking into in order to contribute its resources to a collective pool to mine currency. 

Nic Fillingham: And the fraud or the crime here is that these attackers, these criminals, they're using someone else's resources. They're using their compute. They're using their electricity. They're using their bandwidth in order to mine some form of cryptocurrency for their own benefit. So they're stealing - the thing that they're stealing here is essentially resources, which the owner of that computing endpoint is paying for. And then we think - we probably can't prove this - right? - but we think then that those funds that are generated through this crypto mining are probably maybe being funneled back into more cybercrime or perhaps even things more nefarious. Am I right? 

Elif Kaya: Right. There are some botnet developers that also develop malware in order to use for other services that they will allow the botnet to be used both for passive generation for themselves and to allow attackers to do credential theft and other information. Most botnets and malware that will drop a cryptocurrency miner will do any amount of other tasks as well, including the credential theft and information to come in at a later time. 

Natalia Godyla: Gosh. OK, so I want to dig into that a little bit more. So when you're mentioning that you expect more to happen with the malware or there are those who expect more to happen with the malware, how does that impact how the defenders view the actions they can take or they should take with the botnets? 

Elif Kaya: Yeah. So if there's a presence of automated lateral movement, if there's the presence of crypto mining activity and if there's a presence of especially what we're seeing as, more commonly, competition killing activity as well - so what we're noticing when a machine gets infected with some of the more popular botnets lately is that when they come in, they might actually patch the vulnerability that they came in with. They might actually remove other miners that have exploited that same vulnerability in order to make sure that they have exclusive access to your computing resources and for additional activity and in order to reduce the chance that that machine is triaged for instant response. So don't be surprised if instances increase in the future where you are experiencing an edge vulnerability and you scan your network for it and identify that machines that you did not patch are patched. That is also a behavior that we're seeing occasionally. 

Elif Kaya: So there are a lot of activity the botnets are starting to do that really mimic some of the more advanced pieces of malware that we're used to, which starts to blur the line between what is a botnet and what is not because there are also quite a few just general pieces of malware that will come in and begin dropping currency miners in order to either create diversions which, again, can try and reduce the amount of - the chance that the individual stock analysts will consider it a serious threat. 

Natalia Godyla: The Microsoft 365 Defender Threat Intelligence team has pulled together a few blogs outlining some of this guidance, as well as malware infrastructure on a few different malware families. One was on LemonDuck and LemonCat. So for those who want to follow up by reading the blog series, it's part 1 and part 2 on "When Coin Miners Evolve," as well as a blog on Phorpiex morphs. So I'd love to start with just an overview of these botnet families, Phorpiex and LemonDuck. How do they operate? What is the incentive behind these botnets? 

Elif Kaya: Right. So it's kind of a mix here, even though these blogs came out just a little bit ago, of old and new. So up until about a week ago, Phorpiex was a quite old botnet - over 10 years old - that was still very successful and had a very large footprint of compromised devices in the world that particularly focused on passive generation. So when we're classifying botnets, there's a focus on whether or not it's focused on personal passive generation for the botnet owners, whether they're creating passive generation for people that have leased out their services or whether they're doing secondary malicious actions that they themselves benefit from or they're doing secondary malicious actions that other people benefit from. 

Elif Kaya: So Phorpiex was very much focused on its own passive income generation, both through crypto mining on the workstations that it compromised itself, through lateral movement onto other workstations in order to expand its spread and through facilitating access to its botnet resources, which had a particularly notorious spamming capability, which is common especially in older botnets but also in newer ones, which leveraged existing mail accounts or existing resources on the systems in order to spoof addresses that Phorpiex would come up with, which had a particular pattern, in order to send sextortion emails. Sextortion, for those that aren't familiar, is extortion emails which purport to have illicit images generally of you or people you know and will threaten to release those to the public unless you give them money. And this will usually be in the form of cryptocurrency. Phorpiex used a wide variety of cryptocurrency in this means, and IBM actually had been tracking the wallet amounts of how much money they were making from this avenue 

Elif Kaya: LemonDuck itself - we do have a two-part series on it. The first part covers the spamming module of it as well, which LemonDuck has, which is generally to proliferate ******** 

Elif Kaya: ********** itself. It does not deal extortion primarily through this. It delivers loaders for the malware. So there's a lot of different ways that you can get infected with LemonDuck. It does have a very large suite of edge vulnerabilities that it exploits. And it's worth noting that most botnets that we see now are exploiting vulnerabilities on Windows and Linux, so they have structured their capabilities to be effective on both. And LemonDuck is one of those that affects, I believe, like, over 10 or 11 different entry vectors in terms of edge vulnerabilities at this point, as well as through its spamming module, which will proliferate its malware, as well. 

Elif Kaya: And then the second part of our blog series on LemonDuck covers a lot of the things defenders can do in order to remediate LemonDuck in their environment, as well as a sample list of infrastructure that we're aware of and queries in order to identify its presence in your environment. It does also have a coin mining component that's pretty prevalent and is also known for exploiting vulnerabilities very quickly after they're released. We are seeing an increase in terms of how quickly a botnet will modify itself in order to exploit new vulnerabilities. And with LemonDuck itself, that was one of the botnets that we noticed. When it infects the device, it may actually patch the device so that other malware cannot also infect it. And it's a good segue also into one particular, almost fun behavior of botnets lately, which is because there are so many botnets and coin miners that are kind of made up of piecemeal parts and coming together in that they're - the infection rate of them is so high, a lot of them are shipping with killer scripts. So the particular killer script that LemonDuck uses has been available for a few years, but they have their own iteration of it that quote, unquote, "kills" a very particular set of processes. But a lot of these botnets are shipping with the ability to basically remove other miners and other malware on the system in order to free up resources because even if it's not a miner, malware running on the system might be doing scanning or anything else that's going to eat up that precious resource time that they could use for mining and also draw attention to themselves, which they don't really want to do. So if you have a system that fires a few alerts but then is patched and suddenly has no alerts when you run a manual scan, you're probably a lot less likely to notice it. Now, aside from that... 

Nic Fillingham: That's - I want to jump in there, Elif, because that's sort of hilarious. So these botnet attackers are actually sort of cleaning up after themselves or cleaning up after their peers in order to have, I guess, exclusive access to the resources. So they're sort of like - is it a double-edged sword? Are they actually - sorry - doing some good while also doing some bad? I'm not trying to defend their work. 


Nic Fillingham: But, like, there's just this sort of cognitive dissonance in what you just described. I want to sort of double-click on that. 

Elif Kaya: It's hard to say how effective each of the things that it's removing are and the likelihood that you truly have a system that's infected with, you know, 10, 15 miners at a time. If you do have a system infected with 15 miners at a time, a botnet coming in and cleaning it up might be the least of your worries. 

Nic Fillingham: (Laughter) Touche. 

Elif Kaya: But it is something that we have noticed before, that it is a reality that these things work. So there is instances of botnets coming in or coin mines coming in, especially after one of these edge vulnerabilities hits kind of the market, and you kind of see a warfare going on between all the different miners on the system. So one of them will win out, but they'll remove their competition. So in terms of a double-edged sword, I'd say it's still bad, especially because, as we're seeing, these newer miners do tend to drop secondary malware or lead to Cobalt Strike or a lateral movement more often. But yeah, it is an interesting part. I think whenever we hear about malware cleaning up other malware, it's kind of like, why would they do that? And I think coin mining kind of answers the question a little bit about that. 

Nic Fillingham: Gosh, is there anything to learn from deconstructing the source or these scripts that seem to ship with malware that clean up after themselves? Are some of these malware coders? Are they actually coming up with some really ingenious scripts for how they go and find other - competing malware and then remove them, patch the system and then - like, is there anything to learn? This is a bizarre question, I know. 

Elif Kaya: I think there is a bit because what we see, especially with something like - there is a very particular killer script that is used by LemonDuck, which - I believe Bitdefender published the whole script as of 2020. It does have a newer version now that is a bit more extensive. But what we're seeing is basically from this one point in time where - I forget the name of it, but the first botnet kind of that I had seen that was using this kind of competition killer script was very small in comparison - only removed, maybe, like, 15 or so services, and they've kind of burgeoned up to, like, 70, 80 services being removed. And what you kind of learn from looking through it is that different malware operators seem to be a lot more invested in learning who their competitors are and who other malware names are because when we say we're moving competitors, what they're generally doing is searching for services, searching for a task name, searching for persistence mechanisms where other malware might be. And so it kind of - a lot of them are leveraging the same scripts over and over again. So once one of them benefits from it and it becomes public, they can kind of reuse it. But we are seeing some that are kind of novel or at least have been expanded on, like LemonDuck. So someone behind the scenes is certainly going around and has a good understanding of TTPs of other malware. And so it probably is a good thing to check or at least do as a proof of concept for other security researchers as, like, can you look through the script and identify all the - what is it trying to kill? Are all these botnets still around? Are they not still around? Because you certainly start to - and we see this with phish kit research as well - these kind of old pieces of code that just keep getting reused and reused and added on, and it creates kind of a little history of competitors. So definitely, in some instances, attackers may have a pretty keen eye on who their competitor malware is, better than some blue teams or some defenders. 

Nic Fillingham: But to be super clear, you're not endorsing - no one here is endorsing the infection of a botnet in order to... 

Elif Kaya: ** Yeah. 

Nic Fillingham: ...To clean up other botnets (laughter). 

Elif Kaya: Please don't infect your machine to clean up the other botnets. If you're very concerned, you could probably search for the individual TTPs of the botnets themselves to remove them. 

Nic Fillingham: I have two questions about Phorpiex. One, did we ever really have an idea of how many nodes, how many endpoints were a part of the Phorpiex botnet? Was it - you know, what was the scale? Tens of thousands, hundred thousands, millions? I'd love to know, if you know that. 

Elif Kaya: It was definitely - at its peak, it was tens of thousands at any given... 

Nic Fillingham: OK. 

Elif Kaya: ...Point in time. And up until it shut down, we did know that it was growing in size. It was not necessarily becoming less effective over time, despite the fact that - or learning - earning less money over time. There were - up to and until the time that it shut down, it was both clear that they were kind of losing control of the botnet a little bit with some of their domains expiring, but we had also noticed them add a couple new tricks here and there, so it almost kind of, at least from our perspective, seemed like they were probably always going to shut down. But they were also perhaps evaluating how effective it was to try some new activities or try some new things there. But they were - up until the point that they shut down, they were still very capable of generating passive income from its very large infection base. And it was still executing with those modules for lateral movement via USB and network drives, which was still quite effective on many machines because I think USB and hardware devices, especially as we're more remote, as well, now, isn't generally considered a big issue anymore. And I'm not saying that it is, perhaps if you are a blue team listening to this going to take actions today, that that should be your first action to take. But there are some of these older techniques that are still highly effective. 

Nic Fillingham: The other thing I wanted to ask is how do we take down - when I say we, I mean the industry. Is simply the discovery of these botnets and the publishing of the structure of how they work, the IoCs, et cetera, et cetera - is that how you go as an industry? Is that how Microsoft can contribute to helping take down these botnets? So I guess the first part of this question is, can you talk about Microsoft's role in bringing down Phorpiex? And then maybe we can talk about other botnets that are out there. And what can Microsoft do, and what can the industry do to try and take them down or at least reduce them in scale and help sort of mitigate their impact? 

Elif Kaya: So I don't have personal experience in the cybercrime sales in particular. I would not say that Microsoft took down or contributed necessarily or definitively to the takedown of Phorpiex. Their listing for the sale of the source code referenced two particular vendors, us and Check Point, who were - particularly, Check Point had been researching Phorpiex for quite a while. And because it was an older botnet, there was kind of the trickle of what I had previously talked about about defenders in the news media in general, where botnets don't necessarily make the news or dedicated research as often. So the number of large-scale vendors that were reporting on a botnet like Phorpiex tended to be limited. So I do think that releasing information about how these work, of course, in a way that is assisting defenders without necessarily releasing everything for immediate reuse is very helpful in this kind of endeavor. While I can't say that in an industry way or in - speaking for anyone else but myself, I do believe being very transparent with kind of the research around these kind of structures, especially when we see a case like Phorpiex or a case like LemonDuck, which is allowed to persist pretty unfettered for a while because of the lack of attention, because of the lack of concern around it - that releasing information about it as a whole also helps demystify it. 

Elif Kaya: I know Emotet last year was one of the most well-known botnets in terms of people understanding the name and understanding how it works. But I still think there is still a need for the industry to kind of have a bigger discussion about exactly how these pieces work and how we can mitigate them as a whole. I think counting on any one security product or security vendor to mitigate something that is, like you had mentioned earlier, like, a cloud resource for attackers - botnets are a very important part of the attacker infrastructure - it's going to require being pretty transparent with how they operate. Other botnets that are still quite common for use in spamming and phishing and powering quite a bit of the spam and phish in the wild out there is things like the Cutwail botnet, and we've also seen botnets like Purple Fox, which is currently infecting a lot of devices and leading to some pretty severe follow-on activity. 

Elif Kaya: So yeah, to your question, I do think it helps to be transparent about this when we have it. I generally tend to err on the side of publishing more transparent research, the better. But this is probably one of those examples where we'll never know for sure. But I like to think that at least putting some of this in the spotlight, at least, a defender might look at it and be able to spend part of their day refining it. They might clean up a few machines. But if we can release something that gives them an action to do and kind of always write our reports with the idea of like, hey, we've done this cool research. If a defender picked this up today, could they clean up their environment? Could they find it in their environment, and could they clean it up? If the answer is yes, I think it's worth publishing. 

Natalia Godyla: Thank you for that. I wanted to shift gears and talk a little bit about the takeaways for security practitioners. So, of course, like you said, there's all this great content that your team is producing to help defenders get a better sense of the attacker infrastructure and behaviors. But in terms of mitigations that they can readily apply or any major go-dos after listening to your explanation of these botnets, what would you recommend? 

Elif Kaya: So in terms of botnets, if you were to be on a defending team and kind of sit down and be like, how can I identify new botnets? - I would look at the parts that are common across the most popular botnets right now. So even against Phorpiex, LemonDuck and some of the ones that are currently out in the wild and being created, some of the common elements is they are generally always going to use those coin miners, again. Sometimes, things that aren't botnets are going to use those coin miners, as well. They're going to do that automated lateral movement, and they're also generally - or they could have a spamming module, as well. So if we were to just focus on those three things, apart from, of course, when you see kind of reports about this go ***** 

Elif Kaya: ****** out, even if it says coin miner, even if it says botnet, don't discount the severity of those kind of attacks. And definitely, if there is the ability, follow up with your internal resources. But if you were to try and tackle, how do I mitigate this at the source? - I would really interrogate within the company. Like, what am I doing, and how can I be sure that I'm identifying coin mining activity? How can I identify spamming activity? If you don't have that kind of understanding of your environment to be able to detect when a machine has suddenly started behaving anomalously in this way, it's going to be difficult to identify especially new or evolving or highly dynamic botnets. 

Elif Kaya: A lot of these botnets are going to come in through edge vulnerabilities, so patching, of course, is going to be key. What we're seeing especially is when one of these vulnerabilities hits the market, faster and faster, we're getting public exploit of it. So definitely prioritize patching whenever you can, whenever these come out and make sure that your SLAs that you have internally for remediating those edge vulnerabilities is fast. Create a culture internally of assuring that when you see a coin miner or a botnet or a potentially unwanted program, or PUA, or potentially unwanted program, PUP, alert pop up, you don't just discredit it out of hand, especially because if you see a coin mining alert, but it's a brand new piece of malware, it might fall into one of those categories, like I mentioned earlier, where they're bringing in a very well-known coin miner that will definitely have an alert, but it could be a brand-new botnet. So you may see the alert for the coin miner, but you won't see something else. And so, of course, create playbooks around that scenario, as well, because we are seeing a lot of movement in the space. And because of the sheer volume of it, I would focus just on those core tactics that we're seeing botnets do, which is exploit those edge vulnerabilities, utilize infected machines for spamming infrastructure and for internal scanning and lateral movement through either USBs or through brute-forcing of vulnerabilities internally. That's something we saw explicitly with LemonDuck about - after it had exploited edge vulnerabilities to come in, it would then exploit more vulnerabilities to move throughout the environment. So patching and coin mining and spamming behavior. Not all botnets will use the onboard mail accounts, but LemonDuck was an example which would use the email accounts of the actual one. So, for example, if I had been infected, LemonDuck would start sending the mail as Elif at Microsoft to all of my contacts list. But if I had been infected with Phorpiex, the mail would not be coming directly from me. So that doesn't always look the same. But definitely, if you have a robust security program for email, that kind of behavior, when somebody's user account is compromised in that way and begins sending out mail, is both an - a good identifier of potential botnet infection or just a good identifier of an account compromised that's coming and living solely in email. 

Nic Fillingham: Elif, before we get - let you go, I'd love to know your thoughts on this space moving forward. What trends have you seen? Where is the sort of botnet category moving - in what direction? And therefore, what should security practitioners sort of keep their eye on for this space? 

Elif Kaya: Right. And so a lot of the investigations and research that I've also done with commodity malware such as RATs, I think, inform this view that is popular trend in botnets, as well, is that when we try and think about malware, it's important to think about malware as made up of components and made up of different modules in order to fulfill different functions. What we're seeing more with the new botnets that are coming onto the scene is that they're leveraging different components from botnets historically or botnets new in terms of using scripts that are very readily available verbatim. And so what you see in the detection landscape, then, is a user may see a lot of different alerts that don't really give them a key to what the malware is because we're used to thinking of malware as one bundle of code. But when it comes to identifying a piece of malware like LemonDuck, it has to do with an initial bundle of code but also each individual component it uses. And at this point, the individual mining component, spamming component infection components and killing or competition-killing components that are present in something like LemonDuck are being reused - I'm not saying reused as in, like, the very explicit same hashes are being reused. But, like, the same scripts, the same code is being leveraged in different malware, as well. We see this very commonly in RATs, where many RATs - when we say like, oh, this is a variant that's part of the same family, some of them are very nearly identical. And so when we are trying to do investigations as defenders for investigating this, we should try and make sure to understand that, like, what uniquely identifies a particular infection and what you should do is the different components used. And the trends we're seeing is that malware operators, in order to operate more quickly, are just kind of piecemealing together these components. 

Elif Kaya: This is something we see in ransomware, as well, with the presence of many available builders for ransomware, where there are different components that are pulled from one or the other. There was some really good pieces of research about the Haron ransomware, which had both components from Avaddon and from the Thanos builder that it used. And so as we move more into this space, just be aware that the trend of naming malware, of designating it as a single bundle, is becoming more and more diffused. And so the idea of a multipart malware is more becoming every malware. The idea of a botnet or a malware that drops more malware and becomes part of a network is soon becoming every malware. Not in a particularly scary way but in a particular that is just kind of the behavior of what's happening. And so when you consider a piece of malware, you're actually considering a whole bundle of components. And those components may be reused even if that botnet goes down. If LemonDuck stopped tomorrow, we'd see that killer script again. We'd see those miners again. We'd see their infection script again but different. 

Natalia Godyla: Thank you again for joining us today, Elif. It was great to have you on the show, and we definitely hope to have you back. 

Elif Kaya: All right. Thanks, Natalia. Thanks, Nick. 

Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us at @MSFTSecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.