A new botnet consisting of more than 15,000 compromised servers has been used to mine various cryptocurrencies, earning its master around $25,000 per month.
Mining cryptocurrencies can be a costly investment, as it requires an enormous amount of computing power, but cybercriminals have found an easy money-making solution.
Dubbed BondNet, the botnet was first spotted in December 2016 by GuardiCore researchers, who traced back the botnet malware developer, using online handle Bond007.01, to China.
According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies — primarily Monero, but also ByteCoin, RieCoin, and ZCash — but they warn that the hacker could easily take full control of compromised servers for malicious purposes, like mounting Mirai-style DDoS
BondNet Attacks solely Windows Server Machines
Since mining cryptocurrencies need massive amounts of CPU/GPU power, the botnet master goes when Windows Server machines; rather than client IoT devices.
However, so as to compromise Windows Server machines, the botnet master depends on completely different attack techniques. Researchers say the hacker uses a mix of previous vulnerabilities and weak user/password mixtures to attack principally previous and unsupported Windows Server machines.
The most common flaws exploited by the botnet operator embody far-famed phpMyAdmin configuration flaws, exploits in JBoss, and bugs in Oracle internet Application Testing Suite, MSSQL servers, ElasticSearch, Apache Felis domesticus, Oracle Weblogic, and alternative services.
Once the hacker gain access to a Windows Server machine, he deploys Visual Basic files to assemble info regarding the infected system then install an overseas Access Trojan (RAT) and a cryptocurrency laborer to form an enormous exploit the hacked servers.
Here’s How to Detect the Threat and How to Mitigate:
To prevent your machines from getting hacked, server admins are advised to secure their systems by regularly applying security patches for all software, updating the firmware, and employing stronger passwords.
Meanwhile, GuardiCore has also provided network and file indicators of compromise systems to help server administrators check whether their machines are among compromised ones.
The researchers have also released a detection & cleanup tool (registration is required to download it) to help admins find and remove BondNet bots from their servers, as well as instructions on how to clean the system manually, without using the script.