A Linux-based Monero miner botnet, which has been dubbed PyCryptoMiner foi descoberto por pesquisadores de segurança. The botnet which is based on a cryptocurrency miner has earned cybercriminals at least 158 Monero que equivale a $63,000.
PyCryptoMiner has been written in Python which has made it possible for the botnet’s operators to keep it under the radar.
“Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution,” researchers from F5 Networks said in their relatório.
PyCryptoMiner Technical Details
Whoever is operating this botnet is also using brute-force attacks targeting Linux systems with exposed SSH ports. In case the password is uncovered then cybercriminals deploy Python scripts and install the Monero miner malware.
Researchers also believe that cybercriminals are also using an exploit for the JBoss server in their campaign which has been identified as CVE-2017-12149. Contudo, the deployment of brute-force and the exploit of SSH are also part of cybercriminals’ attack arsenal.
O que é interessante é que o PyCryptoMiner botnet doesn’t have hard-coded addresses of its command and control servers as it receives them from Pastebin posts. The botnet is also capable of acting as a scanner node meaning that it scans the Internet for Linux machines with open SSH ports, and attempts to guess the SSH logins. In case of a success, the malware uses a simple base64-encoded spearhead Python script which connects to the command and control server to execute more Python code, disseram pesquisadores. The script itself is positioned in the main controller bot and is capable of the following activities:
- Becoming persistent on the compromised machine by registering as a cron job ( a time-based job scheduler in Unix-like computer operating systems);
- Collecting details about the compromised machine like information on the number of CPUs.
- Collected information is typically sent to the command and control server.
PyCryptoMiner Botnet Activity
Pelo visto, the botnet is currently inactive, as its servers are offline. Não obstante, this doesn’t mean that it won’t be reactivated in new malicious and crypto mining campaigns. If the botnet operator updates the Pastebin posts to point to a new command and control server, then the botnet can quickly be brought back online.
Como já mencionado, the botnet is also designed to dig for potential exploit possibilities of CVE-2017-12149, a recently disclosed vulnerability. This means that vulnerable JBoss servers may be the next target of the PyCryptoMiner.