Influenza A virus subtype H5N1 novel botnet consisting of to a greater extent than than 15,000 compromised servers has been used to mine diverse cryptocurrencies, earning its primary about $25,000 per month.
Mining cryptocurrencies tin post away live a costly investment, every bit it requires an enormous amount of computing power, only cybercriminals conduct keep institute an slowly money-making solution.
Dubbed BondNet, the botnet was outset spotted inwards Dec 2016 past times GuardiCore researchers, who traced dorsum the botnet malware developer, using online grip Bond007.01, to China.
According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies — primarily Monero, only also ByteCoin, RieCoin, too ZCash — only they warn that the hacker could easily conduct keep total command of compromised servers for malicious purposes, similar mounting Mirai-style DDoS attacks.
BondNet Attacks entirely Windows Server Machines
Since mining cryptocurrencies postulate large amounts of CPU/GPU power, the botnet primary goes afterward Windows Server machines; instead of consumer IoT devices.
However, inwards social club to compromise Windows Server machines, the botnet primary relies on dissimilar assault techniques. Researchers tell the hacker uses a combination of one-time vulnerabilities too weak user/password combinations to assault generally one-time too unsupported Windows Server machines.
The most mutual flaws exploited past times the botnet operator include known phpMyAdmin configuration flaws, exploits inwards JBoss, too bugs inwards Oracle Web Application Testing Suite, MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, too other services.
Once the hacker make access to a Windows Server machine, he deploys Visual Basic files to get together data nearly the infected arrangement too and then install a Remote Access Trojan (RAT) too a cryptocurrency miner to brand a huge turn a profit from the hacked servers.
BondNet's Botnet Infrastructure
One affair that's worth noticing is that the botnet operator does non occupation all infected machines for mining cryptocurrencies. The operator has built its botnet infrastructure of compromised servers amongst diverse roles:
1. Some infected machines serve every bit scanning servers to cheque for vulnerable systems on the Internet past times going through a listing of IP addresses amongst opened upward ports that conduct keep been compiled amongst the WinEggDrop TCP port scanner.
2. Some servers are used every bit file servers to host the mining software.
3. Other infected servers are turned into command-and-control (C&C) servers afterward they conduct keep been equipped amongst a fork of goup — a pocket-size opened upward source HTTP server written inwards Golang.
"Building an assault infrastructure on peak of victim machines helps conceal the attacker’s truthful identity too beginning of the attack," the GuardiCore researchers explained inwards their study published Thursday.
"It also provides high availability infrastructure, which is real helpful when relying on compromised servers, providing interplanetary space backup options inwards instance 1 of the servers fails or loses connectivity to the internet."BondNet has already infected to a greater extent than than 15,000 server machines at major institutions about the world, including high-profile global companies, universities, too metropolis councils, spell the bulk of them runs Windows Server 2008 R2.
Additionally, the BondNet botnet adds about 500 novel machines to its network each day, too an some the same issue of servers are delisted.
Here's How to Detect the Threat too How to Mitigate:
To foreclose your machines from getting hacked, server admins are advised to secure their systems past times regularly applying safety patches for all software, updating the firmware, too employing stronger passwords.
Meanwhile, GuardiCore has also provided network too file indicators of compromise systems to assist server administrators cheque whether their machines are amid compromised ones.
The researchers conduct keep also released a detection & cleanup tool (registration is required to download it) to assist admins let on too withdraw BondNet bots from their servers, every bit good every bit instructions on how to construct clean the arrangement manually, without using the script.
