Data Security

MasterMana botnet hits users by evading detection with URL shorteners

MasterMana botnet is part of an ongoing malware campaign.

The IT security researchers at Prevailion have discovered an active botnet that has been targeting corporations and unsuspected users across the globe.

Dubbed MasterMana by researchers; the botnet utilizes every available option to target its victims including dropping backdoors and phishing attacks through business email compromise commonly known as BEC – If that’s not enough the botnet looks for cryptocurrency wallets on the targeted device and steal their login credentials to withdraw funds.

According to researchers, the malware campaign works in such a way that in the first stage, attackers send emails to victims attached with malicious files, particularly Word, Excel, PowerPoint, and Publisher. Upon opening the attachment, a .NET dll file is downloaded on the system that loads a fileless backdoor, a new form of malware that manages to hide within a computer system and successfully escapes detection.

Researchers believe that the fileless malware in the MasterMana botnet attack is either a variant of Azorult or Revenge RAT (remote access trojan). It is worth noting that Azorult has been previously used in several sophisticated cyberattacks including PayPal malware scam and attack in which more than 1000 Magento websites were hacked and used for cryptojacking and credential stealing.

Additionally, Azorult is capable of taking screenshots on the targeted device along with uploading, downloading files and execute ransomware attacks.

As for MasterMana botnet, these attacks use third-party URLs rather than using compromised domains as seen in previous attacks by other groups. The use of third-party URLs like, blogpost, and Pastebin help evade detection.

Screenshot: Prevailion

“Opening the infected document initiated the attack’s multi-pronged, labyrinth-like kill-chain. The layered kill-chain approach aids in evading detection by relying upon trust placed in a number of third-party websites and services.”


“The threat actors also took the additional steps of modifying older Pastebin posts to cease execution, as well as adding features to avoid some automated detection, such as sandboxing,” wrote Danny Adamitis and Matt Thompson of Prevailion in their blog post.

Based on the techniques and tactics used by MasterMana botnet, researchers have associated its activities with the “Gorgon Group,” an infamous group of sophisticated hackers discovered by Palo Alto Networks’ Unit42 in August 2018. The group was found targeting worldwide government organizations.

At the time of publishing this article, Prevailion had identified more than 2000 clicks on one of the malicious links on from locations including the United States, India, Germany, Brazil, etc.

Screenshot: Prevailion

This campaign is currently ongoing therefore if you want to know more about MasterMana botnet, there’s much more on Prevailion’s blog post including in-depth technical details.

If you are on the Internet you are at risk of cyber attacks and to protect yourself from this threat always be vigilant and refrain from downloading attachments from an unknown email. In case you have come through a malicious file or link use VirusTotal to scan them before opening them.

To Top

Pin It on Pinterest

Share This