Python-Based Botnet Targets Linux Systems with Exposed Ports

Python-Based Botnet Targets Linux Systems with Exposed Ports


Experts believe that a knowledgeable cybercrime group has created a botnet from compromised Linux-based systems and is using these servers and devices to mine Monero, a digital currency.

Crooks are apparently using brute-force attacks against Linux systems that feature exposed SSH ports. If they guess the password, they use Python scripts insert a Monero laborer (bitcoin miner).

According to specialists from F5 Networks, attackers have additionally started abusing an exploit for the JBoss server (CVE-2017-12149) to break into vulnerable computers.

However, the SSH attacks and brute-force attacks represent this new botnet’s bread and butter.

The attack is unique when put next to alternative Monero-mining botnets that have arisen in recent months, counting on Python scripts, instead of on malware binaries.

Python scripts are hard to detect

“Unlike a binary malware alternative, a scripting language-based malware is incredibly evasive naturally because it is easily obfuscated,

” F5 specialists say. “It is additionally dead by a legitimate binary, that can be one in all of} the PERL/Python/Bash/Go/PowerShell interpreters shipped with nearly every Linux/Windows distribution.”

Despite this, once researchers discovered samples of the malware, its construction wasn’t that complicated.

How PyCryptoMiner malware works

Experts say that once infecting victims, crooks transfer an initial and extremely straightforward base64-encoded “spearhead” Python script that gathers data on the victims’ system and reports to a far-off C&C server.

The server replies with a second Python script within the form of a Python dictionary file that installs a version of the ASCII text file Minerd Monero mining client.

Experts say they found 2 Monero wallets utilized by this botnet, that they named PyCryptoMiner.

One contained ninety-four Monero and also the second carried sixty-four Monero, for an approximate total of $60,000.

Old threat actor linked to botnet

Further, researchers said that the C&C domain names utilized by PyCryptoMiner were registered by a person who was tied to over 36,000 domain names and 234 alternative email addresses, all used for domains used in scams, gambling, and adult services.

One more factor that researchers found fascinating was the very fact that PyCryptoMiner used a hard-coded Pastebin link to retrieve the placement of a backup C&C server once the central domain was down.

Experts say this Pastebin computer address was viewed over 175,000 times. This is often not the botnet’s real size, as bots may have seen this page various times. A more clear indicator of the botnet’s actual size was the daily increase of around 1,000 views.

This is a tiny Monero-mining botnet, however, was still enough for the authors to create over $60,000, showing how prevalent and profitable such botnets may be at that time. Earlier in the week, once F5 researchers revealed their findings, the botnet was down and out of service.

In recent months, Monero-mining malware has become quite widespread. Excluding crypto jacking events —which additionally mine Monero— a number of the Monero-mining malware families and botnets that have been seen in 2017 embrace Diamine, an unidentified botnet targeting WordPress sites, Hexmen, Loapi, Zealot, WaterMiner, and an unnamed botnet targeting IIS 6.0 servers, CodeFork, and Bonnet.


Bleeping Computer

Add comment