Experts from Kaspersky GReAT (Kaspersky Lab's Global Threat Research and Analysis Center) have discovered a new botnet and named it Tsundere. Attackers attack Windows devices using PowerShell scripts or an MSI installer. A malicious implant that installs a bot on infected devices is distributed, in particular, under the guise of an installer for popular games, such as Valorant, CS2 and R6x. Kaspersky Lab solutions recorded Tsundere attacks in Mexico and Chile. At the same time, judging by the technical analysis, the bot is trying to avoid infecting systems in the CIS countries, but the detectors were also found in Russia and Kazakhstan. Experts emphasize that this botnet continues to expand and poses a significant cyber threat.
In Tsundere, Web3 smart contracts are used to host command server addresses. This technique is gaining popularity among hackers, as it increases the stability of the botnet infrastructure. Judging by the botnet's control panel, there are two formats for distributing implants that are generated automatically: using an MSI installer and PowerShell scripts. These implants are installed on a compromised user's device by a bot that can continuously execute JavaScript code. At the same time, Tsundere uses WebSocket as the main protocol for interacting with the attackers' command server.
Tsundere uses the Ethereum blockchain to switch between the attackers' command servers. The botnet has its own control panel and trading platform combined into a single interface.
Expert analysis has shown that it is highly likely that the developers of the Tsundere botnet are Russian-speaking. This is also indicated by the code elements. In addition, the study revealed a link between the Tsundere botnet and 123 Stealer, a stealer distributed on shadow forums.
"Tsundere's analysis has shown how quickly attackers adapt to modern conditions.: apparently, they have repeatedly tried to update their toolkit. After switching to Web3 mechanisms, the attackers' infrastructure has become more flexible. We see that the implants continue to spread under the guise of installers for games, and there is also a connection with previously detected malicious activity. Therefore, it is likely that the botnet will continue to expand," comments Dmitry Galov, head of Kaspersky GReAT in Russia.
Please note that this press release is based on materials provided by the company. AK&M Information Agency shall not be held liable for its contents, nor for the legal and other consequences of its publication.
