Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.
When researchers at Perch were going through customer telemetry last month, they found strings they hadn’t seen before. In looking through the signatures, Perch senior threat researcher Paul Scott found leads on a Reddit forum dedicated to Linux malware that showed Cayosin was “actually a custom piece of malware developed from multiple public sources,” Scott explains. “So it’s kind of a Frankenstein between Qbot, Marai, and a few other pieces of software. The actors kind of cobbled them all together to make a new thing.”
This new thing is a botnet for hire that draws marketing and support techniques from the best of legitimate commercial activity. “They were primarily renting spots or having subscribers sign up for an account when it was still in early development, and they were charging a very low amount of money, like $5 a spot,” Scott says. Since Cayosin has matured and become more full-featured, though, the developing syndicate (or individual) has raised the price.
Cayosin has been marketed through “legitimate” social media platforms rather than the Dark Web. One of the first marketing instruments was a YouTube video showing its operation. “[Then] in the comments of the YouTube video, they started talking about an Instagram account that was selling it,” Scott says.
The Instagram account of a user called “unholdable” contains multiple articles and videos explaining how to lease space on the Cayosin botnet, how to best use the malware, and how to purchase source code for the original version of the botnet software. “You can kind of see the development of not only Cayosin but other tools that this threat actor has published” in the Instagram posts, Scott says.
Following the social media accounts led researchers to the additional malware and botnets, including Yowai, a botnet described by researchers at Trend Micro. And tThe social media accounts are allowing the developer of Cayosin to engage in market research and customers support on a commercial scale.
“If you were to click on [the post], you can see that he’s like, ‘Hey, can you give me some feedback on the service I’ve been providing to you?'” Scott says. “I mean, he’s very good on customer service — top notch — and his marketing game and advertising is on point. I mean, he is letting everybody see everything through the Instagram Stories that he’s publishing here.”
Cayosin is evolving in both its ability to infect new systems and the payloads it can distribute, he adds. “It’s got a lot of different vulnerabilities packaged into it. It is looking for vulnerabilities in Linux Web servers, Internet of Things devices, and a number of routers,” Scott says.
With the evolution comes increasing business success. “This is just the newest iteration, and they’re actually starting to build up a following and a real service and business for their customers,” he says. “As each of these tools gets burned out because everybody learns the infrastructure, they just republish it under a new name.”
While Cayosin has primarily been used to launch distributed denial-of-service (DDoS) attacks, Scott says the evolving payloads show it’s beginning to see action as a tool for exfiltrating sensitive information, stealing credentials, and other activities that may have a greater economic impact than simple DDoS.
While an individual attack using the new botnet may have an impact, Scott indicates that the greater threat may come from the new business model Cayosin represents. “There’s a whole culture here,” he says. “So this is a generation that’s very comfortable with social media. They’re just making it part of their infrastructure. We’re moving out of the Darknet and into the light.”