Group has ties to the Darkhotel APT attacks
Security researchers from Forcepoint say that a new botnet has slowly risen and grown to contain over 19,000 zombies all over the world, but predominantly in Asian countries.
Named Jaku (Star Wars reference alert — Jakku), the botnet has made most of its victims in countries such as Japan and South Korea, which count 73 percent of all infections. Nevertheless, security experts claim they detected infections with Jaku’s malware in 134 different countries, even if sometimes they comprised one or two users.
Jaku is one of the most sophisticated and resilient botnets around
Researchers say that first signs of the botnet appeared last September, and in a six-month timeframe, Jaku grew tremendously compared to other similar threats.
The group behind Jaku controls the botnet through multiple C&C (command-and-control) servers, most of which are located in countries in the APAC region, such as Singapore, Malaysia, and Thailand.
In ordered to stay hidden from sight, the Jaku group deployed three different C&C mechanisms but also used obfuscated SQLite databases on the client-side to store configuration files.
The Jaku botnet can be used to deliver spam, to launch DDoS attacks, but also to implement other types of malware. This second-stage delivery process occurs with the help of steganography, which crooks use to bundle their malicious code inside image files.
Jaku infects users via poisoned torrent files
Forcepoint says that infections usually takes place via malware-laced files shared via BitTorrent. The group usually goes after high-value targets but doesn’t mind if other users are infected as well.
Security researchers say the group has shown interest in international Non-Governmental Organizations (NGOs), engineering companies, academic institutions, scientists and government employees.
“The Jaku campaign has clear connections with the TTPs used by the threat actors discussed by Kaspersky in the Darkhotel investigations from November 2014,” Forcepoint researchers point out. The Darkhotel group was later known as Dark Seoul, and has recently been connected to hackers in North Korea, part of the Lazarus Group.