According to Microsoft, this is an unusual DDoS botnet boasting a unique design that lets it infiltrate Linux systems despite the malware being downloaded from Windows devices.
Remember when, earlier in January this year, a massive DDoS attack targeted a Minecraft event, which took down the internet service of the entire country of Andora? Well, now, a new threat has surfaced, whose target is, yet again, Minecraft servers.
Microsoft has published a warning about a cross-platform botnet designed to launch DDoS attacks (distributed denial of service attacks) against private Minecraft servers.
MCCrash botnet targets users in Russia, Belarus, Czechia, Ukraine, Uzbekistan, Italy, Nigeria, India, Cameroon, Indonesia, Columbia, and Mexico. Microsoft is tracking the botnet’s activities under the moniker DEV-1028.
According to Microsoft researchers David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, and Ross Bevington, this is an unusual botnet boasting a unique design that lets it infiltrate Linux systems despite the fact that the malware is downloaded from Windows devices.
When the malware is removed from the infected device, the MCCrash mechanism allows it remains persistent on the unmanaged IoT devices connected to the network and keep operating.
How Does MCCrash Spread?
MCCrash spread by numbering default credentials on internet-exposed SSH (secure shell) enabled devices. Since IoT devices are usually designed for remote configuration with insecure settings, these devices can be at risk of botnet attacks.
Microsoft didn’t disclose the exact scope of this campaign. The company noted that the botnet’s initial infection point is an array of compromised machines, which it infected using cracking tools that promise illegal Windows licenses. The software then executes a Python payload containing the core features of the botnet.
This includes scanning for SSH-enabled Linux devices to launch a dictionary attack. When the Linux host is breached through the propagation method, the same Python payload runs DDoS commands, one of which attacks explicitly Minecraft servers and crashes them. Microsoft claims it is highly effective and could be offered as a service on hacking forums.
“This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure,” Microsoft’s blog post noted.