Positive Technologies found Neutrino botnet which steals other hackers’ webshells

Researchers at Positive Technologies have discovered an extremely rare botnet. The botnet was formed by hackers using the Neutrino Trojan to attack servers that have been exploited by other hackers. After the attack is successful, the hacker will use these servers to mine the cryptocurrency.

Positive Technologies says that similar to other botnets, the Neutrino botnet searches for and infects specific applications and servers. The botnet uses a variety of techniques, such as searching for the undefended phpMyAdmin server and forcing access to the system root account. However, unlike other botnets, the Neutrino botnet focuses on hijacking WebShell created by other malware. It is reported that Webshell is a backdoor script that can be manipulated through the web interface and is used in attacks against servers. ​

Positive Technologies said hackers using Neutrino have been searching for various Webshells. After the target is discovered, the hacker will launch brute-force attacks to take over the server controlled by the WebShell. It is reported that most hackers will establish defense measures after infecting target devices to prevent other hackers from getting involved. Therefore, the example of the Neutrino Trojan botnet is rare.

According to the survey, the Neutrino Trojan is keen to infect the Windows server running phpStudy, which is used by Chinese developers. In addition, servers running the phpMyAdmin application are also highly vulnerable. Experts recommend that server administrators should check the root account password from time to time and update security patches in time to avoid such attacks.