Our honeypot system captured a new DDoS botnet sample on 2019-06-23. We named it Emptiness which comes from the running process name as well as its C2 domain. Emptiness is written by Golang and supports both Windows and Linux. Our further analysis reveal its iterative evolution: the early version Emptiness was only armed with DDoS function and was propagated through Mirai.shiina variant botnet that had been run by the same author for a long time. The latter version Emptiness was added with ssh scan to enable self-propagation. Besides, C2 communication protocols of both Emptiness and Mirai.shiina kept changing constantly, which increases the difficulty of being tracked by security researchers.

REFERENCE:
https://blog.netlab.360.com/emptiness-a-new-evolving-botnet/
TAG: