PyCryptoMiner Targets Linux Machines to Mine for Monero

PyCryptoMiner Targets Linux Machines to Mine for Monero

WaterMiner Monero Miner

A Linux-based Monero miner botnet, which has been dubbed PyCryptoMiner has been discovered by security researchers. The botnet which is based on a cryptocurrency miner has earned cybercriminals at least 158 Monero which amounts to $63,000.

PyCryptoMiner has been written in Python which has made it possible for the botnet’s operators to keep it under the radar.

Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution,” researchers from F5 Networks said in their report.

Related Story: CryptoLoot Coinhive Monero Miner – How to Remove from Your PC

PyCryptoMiner Technical Details

Whoever is operating this botnet is also using brute-force attacks targeting Linux systems with exposed SSH ports. In case the password is uncovered then cybercriminals deploy Python scripts and install the Monero miner malware.

Researchers also believe that cybercriminals are also using an exploit for the JBoss server in their campaign which has been identified as CVE-2017-12149. However, the deployment of brute-force and the exploit of SSH are also part of cybercriminals’ attack arsenal.

What is interesting is that the PyCryptoMiner botnet doesn’t have hard-coded addresses of its command and control servers as it receives them from Pastebin posts. The botnet is also capable of acting as a scanner node meaning that it scans the Internet for Linux machines with open SSH ports, and attempts to guess the SSH logins. In case of a success, the malware uses a simple base64-encoded spearhead Python script which connects to the command and control server to execute more Python code, researchers said. The script itself is positioned in the main controller bot and is capable of the following activities:

  • Becoming persistent on the compromised machine by registering as a cron job ( a time-based job scheduler in Unix-like computer operating systems);
  • Collecting details about the compromised machine like information on the number of CPUs.
  • Collected information is typically sent to the command and control server.
Related Story: WaterMiner Monero Miner Is the Newest Cryptocurrency Malware

PyCryptoMiner Botnet Activity

Apparently, the botnet is currently inactive, as its servers are offline. Nonetheless, this doesn’t mean that it won’t be reactivated in new malicious and crypto mining campaigns. If the botnet operator updates the Pastebin posts to point to a new command and control server, then the botnet can quickly be brought back online.

As already mentioned, the botnet is also designed to dig for potential exploit possibilities of CVE-2017-12149, a recently disclosed vulnerability. This means that vulnerable JBoss servers may be the next target of the PyCryptoMiner.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys ‘Mr. Robot’ and fears ‘1984’.

More Posts - Website

3 Comments

  1. Linux User

    This is hardly a malware. If you get access to the machine, you can do a lot of things other than just running a mining script.

    Reply
    1. Vencislav Krustev

      Hello, yes, but it all comes down to who configured it. Some malware authors often aim to embed legitimate miners in malware applications and add other “things” that the malware does. These are functions, that help it to propagate as well as self-update, copy itself and remain obfuscated.

      Reply
    2. Martin Beltov

      As it is stated in the article the miner is part of an extensive Python that is modular in nature. As a consequence the hacker operators can execute a variety of malware behaviour.

      Due to the recent rise of miners it is important for us to track all current events.

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...