ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Experts believe that an experienced cybercrime group has created a botnet from compromised Linux-based systems and is using these servers and devices to mine Monero, a digital currency.
Crooks are apparently using brute-force attacks against Linux systems that feature exposed SSH ports. If they guess the password, they use Python scripts to install a Monero miner.
According to experts from F5 Networks, attackers have also started using an exploit for the JBoss server (CVE-2017-12149) to break into vulnerable computers, but the SSH attacks and brute-force attacks represent this new botnet’s bread and butter.
Python scripts are harder to detect
The attack is unique when compared to other Monero-mining botnets that have arisen in recent months, relying on Python scripts, rather than on malware binaries.
“Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated,” F5 experts say. “It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution.”
Despite this, once researchers identified samples of the malware, its construction wasn’t that complex.
How the PyCryptoMiner malware works
Experts say that after infecting victims, crooks download an initial and very simple base64-encoded “spearhead” Python script that gathers info on the victims’ system and reports to a remote C&C server.
The server replies with a second Python script in the form of a Python dictionary file that installs a version of the open-source Minerd Monero mining client.
Experts say they identified two Monero wallets used by this botnet, which they named PyCryptoMiner. One contained 94 Monero and the second contained 64 Monero, for an approximate total of $60,000.
Botnet tied to old threat actor
Further, researchers said that the C&C domain names used by PyCryptoMiner were registered by an individual who was tied to over 36,000 domain names and 234 other email addresses, all used for domains involved in scams, gambling, and adult services.
One more thing that researchers found interesting was the fact that PyCryptoMiner used a hard-coded Pastebin link to retrieve the location of a backup C&C server when the main domain was down.
Experts say this Pastebin URL was viewed more than 175,000 times. This is not the botnet’s real size, as bots could have viewed this page numerous times. A more clear indicator of the botnet’s real size was the daily increase of around 1,000 views.
This is a very small Monero-mining botnet but was still enough for the authors to make over $60,000, showing how popular and profitable such botnets can be at the moment. Earlier this week, when F5 researchers published their findings, the botnet was down and out of service.
In recent months, Monero-mining malware has become quite popular. Excluding cryptojacking events —which also mine Monero— some of the Monero-mining malware families and botnets we’ve seen in 2017 include Digmine, an unnamed botnet targeting WordPress sites, Hexmen, Loapi, Zealot, WaterMiner, an unnamed botnet targeting IIS 6.0 servers, CodeFork, and Bondnet.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.