Influenza A virus subtype H5N1 novel botnet consisting of to a greater extent than than 15,000 compromised servers has been used to mine diverse cryptocurrencies, earning its main about $25,000 per month.
Mining cryptocurrencies tin live a costly investment, every bit it requires an enormous amount of computing power, but cybercriminals direct maintain constitute an slowly money-making solution.
Dubbed BondNet, the botnet was outset spotted inwards Dec 2016 past times GuardiCore researchers, who traced dorsum the botnet malware developer, using online grip Bond007.01, to China.
According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies — primarily Monero, but also ByteCoin, RieCoin, in addition to ZCash — but they warn that the hacker could easily direct maintain total command of compromised servers for malicious purposes, similar mounting Mirai-style DDoS attacks.
BondNet Attacks solely Windows Server Machines
Since mining cryptocurrencies take large amounts of CPU/GPU power, the botnet main goes later Windows Server machines; instead of consumer IoT devices.
However, inwards lodge to compromise Windows Server machines, the botnet main relies on dissimilar assault techniques. Researchers tell the hacker uses a combination of sometime vulnerabilities in addition to weak user/password combinations to assault to a greater extent than frequently than non sometime in addition to unsupported Windows Server machines.
The most mutual flaws exploited past times the botnet operator include known phpMyAdmin configuration flaws, exploits inwards JBoss, in addition to bugs inwards Oracle Web Application Testing Suite, MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, in addition to other services.
Once the hacker attain access to a Windows Server machine, he deploys Visual Basic files to get together data near the infected organisation in addition to and thence install a Remote Access Trojan (RAT) in addition to a cryptocurrency miner to brand a huge turn a profit from the hacked servers.
BondNet's Botnet Infrastructure
One affair that's worth noticing is that the botnet operator does non job all infected machines for mining cryptocurrencies. The operator has built its botnet infrastructure of compromised servers amongst diverse roles:
1. Some infected machines serve every bit scanning servers to cheque for vulnerable systems on the Internet past times going through a listing of IP addresses amongst opened upwardly ports that direct maintain been compiled amongst the WinEggDrop TCP port scanner.
2. Some servers are used every bit file servers to host the mining software.
3. Other infected servers are turned into command-and-control (C&C) servers later they direct maintain been equipped amongst a fork of goup — a pocket-sized opened upwardly source HTTP server written inwards Golang.
"Building an assault infrastructure on peak of victim machines helps conceal the attacker’s truthful identity in addition to source of the attack," the GuardiCore researchers explained inwards their study published Thursday.
"It also provides high availability infrastructure, which is real helpful when relying on compromised servers, providing interplanetary space backup options inwards illustration 1 of the servers fails or loses connectivity to the internet."BondNet has already infected to a greater extent than than 15,000 server machines at major institutions about the world, including high-profile global companies, universities, in addition to metropolis councils, piece the bulk of them runs Windows Server 2008 R2.
Additionally, the BondNet botnet adds about 500 novel machines to its network each day, in addition to an simply about the same issue of servers are delisted.
Here's How to Detect the Threat in addition to How to Mitigate:
To forbid your machines from getting hacked, server admins are advised to secure their systems past times regularly applying safety patches for all software, updating the firmware, in addition to employing stronger passwords.
Meanwhile, GuardiCore has also provided network in addition to file indicators of compromise systems to assist server administrators cheque whether their machines are amidst compromised ones.
The researchers direct maintain also released a detection & cleanup tool (registration is required to download it) to assist admins divulge in addition to take away BondNet bots from their servers, every bit good every bit instructions on how to construct clean the organisation manually, without using the script.
Share This :
comment 0 Comments
more_vert