The botnet's creator is quietly cashing in on the craze for cryptocurrency.
Researchers have stumbled across a new botnet which has gone under the radar for a long time while quietly enslaving PCs in the quest for cryptocurrency.
On Wednesday, researchers from F5 Networks revealed their findings on PyCryptoMiner, a new Linux-based botnet which is spreading over the SSH protocol.
The botnet is based on the Python scripting language which allows for obfuscation and appears to be "spreading silently," according to the team.
PyCryptoMiner is also executed by a legitimate binary, which may be an interpreter shipped with the majority of Linux and Windows distributions.
F5 Networks says that the botnet scans for potentially vulnerable Linux machines and guesses SSH login credentials -- a practice made simple if victims use basic, easy-to-crack phrases and letter combinations.
Once scanning is complete, the botnet deploys a simple base64-encoded spearhead Python script which connects to a command-and-control (C&C) server to be issued additional commands and execute other Python payloads.
If the original C&C server is down, the botnet trawls through Pastebin to find new assignments.
Rather than hardcoding a C&C address into the system, the botnet's creator publishes alternative addresses through the Pastebin website, increasing the potential longevity of PyCryptoMiner.
"Many of these adversaries use "bullet-proof" hosting services, however, a more sophisticated approach that attackers are now using is public file hosting services like Dropbox.com and Pastebin.com, which cannot be easily blacklisted or taken down," the researchers say. "This technique also allows the attacker to update the address of the C&C server whenever they need to."
The threat actor works under the Pastebin username "WHATHAPPEN," and this name has been linked to a number of C&C servers as well as the online identity "Xinqian Rhys."
The registrant has been connected to over 36,000 domains, some of which are associated with scams, gambling, and adult websites.
PyCryptoMiner downloads the main controller from the C&C server or a directed source, and this system registers itself as a cron job to maintain persistence.
The Host or DNS name, details relating to the OS and accompanying architecture, CPU numbers and CPU usage data are all collected. The bot then checks to see whether the system has already been infected by the malware before sending a report to the C&C server and accepting additional instructions.
The botnet then harnesses the victim system for mining Monero. As of December 2017, the botnet has made roughly $46,000 for its creator.
It appears that PyCryptoMiner, however, is in a constant state of evolution. As the researchers were gathering information on the botnet, new scanner functionality was bolted-on by the operator.
The scanner hunts for vulnerable JBoss servers by exploiting CVE-2017-12149, a desterilized data vulnerability in the Red Hat Enterprise Application Platform 5.2 disclosed only a few months ago.
At the time of writing, the C&C servers supporting the botnet have been disabled. However, it would only take the threat actor to update the addresses to reinvigorate PyCryptoMiner. As cryptocurrency captures the interest of consumer and cyber attacker alike, these kinds of botnets are likely to become a common threat in the future.