A Linux-based Monero miner botnet, which has been dubbed PyCryptoMiner has been discovered by security researchers. The botnet which is based on a cryptocurrency miner has earned cybercriminals at least 158 Monero which amounts to $63,000.
PyCryptoMiner has been written in Python which has made it possible for the botnet’s operators to keep it under the radar.
“Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution,” researchers from F5 Networks said in their report.
PyCryptoMiner Technical Details
Whoever is operating this botnet is also using brute-force attacks targeting Linux systems with exposed SSH ports. In case the password is uncovered then cybercriminals deploy Python scripts and install the Monero miner malware.
Researchers also believe that cybercriminals are also using an exploit for the JBoss server in their campaign which has been identified as CVE-2017-12149. However, the deployment of brute-force and the exploit of SSH are also part of cybercriminals’ attack arsenal.
What is interesting is that the PyCryptoMiner botnet doesn’t have hard-coded addresses of its command and control servers as it receives them from Pastebin posts. The botnet is also capable of acting as a scanner node meaning that it scans the Internet for Linux machines with open SSH ports, and attempts to guess the SSH logins. In case of a success, the malware uses a simple base64-encoded spearhead Python script which connects to the command and control server to execute more Python code, researchers said. The script itself is positioned in the main controller bot and is capable of the following activities:
- Becoming persistent on the compromised machine by registering as a cron job ( a time-based job scheduler in Unix-like computer operating systems);
- Collecting details about the compromised machine like information on the number of CPUs.
- Collected information is typically sent to the command and control server.
PyCryptoMiner Botnet Activity
Apparently, the botnet is currently inactive, as its servers are offline. Nonetheless, this doesn’t mean that it won’t be reactivated in new malicious and crypto mining campaigns. If the botnet operator updates the Pastebin posts to point to a new command and control server, then the botnet can quickly be brought back online.
As already mentioned, the botnet is also designed to dig for potential exploit possibilities of CVE-2017-12149, a recently disclosed vulnerability. This means that vulnerable JBoss servers may be the next target of the PyCryptoMiner.