According to researchers, evidence suggests Lizard Squad is alive and well, continuing their malicious activities under the guise of BigBotPein.
ZingBox researchers have strong evidence that BigBotPein group is the new name under which the Lizard Squad is discreetly carrying out cybercriminal activities and that Lizard Squad has a close connection with Mirai malware. This information connects Lizard Squad and Mirai (which is a known fact) to the series of DDoS (distributed denial of service) attack that caused widespread destruction in 2017.
BigBotPein is Lizard Squad
The co-founder and CEO of ZingBox, Xu Zou stated: “Despite the courageous efforts of our law enforcement agencies to identify and tear down various hacking groups, the collaboration between groups makes it extremely difficult to completely shut down their efforts for good. Arrests of high-profile members and founders of such groups certainly slow down their momentum, but organizations can’t take their foot off the gas when it comes to being vigilant about the security of their network.”
Lizard Squad is known for some very disturbing and far-reaching DDoS attacks in the history of digital crimes. This group is responsible for successful disruption of networks of Sony PlayStation, Xbox Live, and Blizzard’s Warcraft. Over the years, various individuals have been alleged to have utilized the LizardStresser DDoS service offered by Lizard Squad, and have ended up getting arrested.
Mirai, Lizard Squad, and BigBotPein
On the other hand, Mirai, which came to light since a year and a half only, made headlines in mid-2016 after successfully attacking OVH hostings, security expert Brian Krebs’ blog and Dyn DNS’ infrastructure with a massive army of botnets. It must be noted that the source code of Mirai malware was leaked online merely weeks after these DDoS attacks were launched and Brian Krebs’ blog was targeted probably because the journalists severely criticized Lizard Squad and linked the group with Mirai.
As per the information acquired by ZingBox researchers, Lizard Squad hackers and Mirai are linked and the fact that Lizard Squad and Mirai both used the same Ukrainian hosting service Blazingfast further reinforces this fact. Moreover, it is also a point to be considered that the source code of Mirai malware was released exactly 9 days later when Zachary Buchta, the founder of Lizard Squad, was captured.
Researchers were able to single out BigBotPein as connected to Lizard Squad after analyzing a domain associated with another Mirai-based scheme that was launched in late 2017; this domain was registered in the name of a person linked with Lizard Squad. BigBotPein came to limelight for supporting Buchta after he was captured by the police and this group chose Mirai as its key Internet of Things weapon to target a variety of systems including x86, x64, ARC, MIPS, ARM, SPARC, and SuperH.
Adding Ethereum and Monero miners to its malware
Furthermore, the report [PDF] suggests that this group has added Ethereum and Monero miners to its malware portfolio and has managed to improvise their social engineering skills to a great extent over time. In October 2017, researchers also identified a Mirai-based campaign that utilized a domain bigbotpein[.]com while Mirai authors were known for using blazingfact[.]io for controlling the army of botnets.
Satori, Memes and Masuta, two of the many variants of Mirai malware, were also linked to this group and the Satori campaign that was originally titled Okiru was hosted from numerous domains one of which happened to be network[.]bigbotpein[.]com. From mid-January 2018, the domains used by both Lizard Squad and BigBotPein were switched to US-based hosting service providers Rackspace and Search Guide, which again highlights the connectivity between the two groups.
According to ZingBox researchers, the malware code of Mirai contained a structure that was identified in July 2017 to be related to Lizard Squad and the code allowed malware to decode second stage payload in a discreet manner. Moreover, a file dropped from BigBotPein domain control[.]almahosting[.]ru during the November 2017 Satori campaign to launch Monero Stratum miner also showed evidence of a link between Lizard Squad and Mirai.
“During this research, we witnessed firsthand the evolving complexity of the different variants of Lizard Squad and bigbotPein group’s malware within a span of one year […]. The Lizard Squad and bigbotPein groups used to be very active creating most of the well-known variants of Mirai,” noted ZingBox researchers in their report.
Thus, it can be stated that despite arresting various key members of founders of Lizard Squad hacker group, the group is very much alive and actively carrying out cyber-attacks through another ID BigBotPein.
Read ZingBox’s 21-page research here [PDF].