After a few days of monitoring the channel, the bot master noticed our activity and registered the nicknames of the admins and white-listed the IRC clients allowed to join the network. This prevented us from pretending to be admins and controlling the bots.

During our research, the botnet peaked at around 350 bots, which is a relatively small size botnet. For example, last year a different IRC botnet was reported with more than 1,400 bots. Most of the victims are hosted on cloud services such as Amazon Web Services (AWS) and DigitalOcean, and about a third are hosted on Linode. When we conducted a geolocation of the IP addresses on the botnet, we found that U.S. and U.K. servers accounted for almost half of the bots.

Probable Attribution

Please note that at the time of publication, no group had yet claimed this botnet and we do not have official attribution of the individuals writing and operating Tuyul. Our probable Indonesian attribution is based on many pieces of evidence gathered while investigating this malware.

Time zone. The Asia/Jakarta time zone, as discussed in the Attack Methods section, is an important clue because it sets the default time zone used by all date/time functions. This is the most convincing evidence of the attacker’s origin that was set inside the API source code, as explained in the Malware section. While this may be purposefully set to a different time zone, it is only one of many indicators we look at when determining possible attribution. In addition, several other clues also pointed to Indonesia.

Administrator nicknames. The admin nicknames when used to configure this botnet may provide possible attribution information. Preman, one of the monikers used, is a word for an Indonesian gangster and, according to Wikipedia, is a member of an organized crime group.

When connecting to the C&C development environment, the Indonesian phrase “assalamualaikum pak aji” appears. It does not appear on the main C&C.

IP address. As investigations into this bot continued, the new version had an interesting IP address that exposed the threat actor’s development environment. The threat actor runs this development environment to test new versions of the Perl script. After the admins’ nicknames were registered we continued to monitor activity from both the main and development IRC servers. In the development IRC server, admin nicknames were not registered and there was an additional clue to the threat actor’s origin, including the use of the phrase assalamualaikum pak aji, which translates to “greetings sir Aji.” According to names.org, the name Aji may have many origins—one of the common ones is from Indonesia and means “bless.”