New Python-Based Crypto-Miner Botnet Flying Under the Radar
January 4, 2018
F5 threat researchers have discovered a new Linux crypto-miner botnet that is spreading over the SSH protocol. The botnet, which we’ve named PyCryptoMiner:
Targeting online Linux systems to construct botnets is a very common attack vector in the wild, especially in the last couple of years with the rise of IoT devices. We recently noticed an interesting crypto-miner botnet that seems to be going under the radar. Based on the Python scripting language, it seems to be spreading silently. Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution.
Once a scanning bot has successfully guessed the SSH login credentials of a target Linux machine, it will deploy a simple base64-encoded spearhead Python script which, in turn, connects to the command and control (C&C) server to fetch and execute the additional Python code.
However, this botnet creator is using another interesting trick. Most malwares hard-code the address of their C&C server, so when it is taken down, the attacker has no way to tell the botnet to switch to another C&C server. Here, the attacker is using Pastebin.com to publish an alternate C&C server address if the original one is unreachable.
One of the challenges that adversaries need to deal with is how to maintain a sustainable C&C infrastructure without being quickly blacklisted by enterprise security solutions, or being frequently shut down by ISPs and hosting services following law enforcement and security vendors’ abuse reports.
Many of these adversaries use “bullet-proof” hosting services, however, a more sophisticated approach that attackers are now using is public file hosting services like Dropbox.com and Pastebin.com, which cannot be easily blacklisted or taken down. This technique also allows the attacker to update the address of the C&C server whenever they need to.
Note: At the time we were writing this article, the C&C servers of the botnet stopped being accessible, making all newly infected bots idle, polling for the “Patebin.com” page. However, the attacker could update the page at any time to a new C&C server that could take control over the botnet again.
Being exposed as a public Pastebin.com resource allowed us also to discover more information about this operation. It seems to have been running since at least August of this year because the username “WHATHAPPEN” created the resource on Aug. 21, 2017. At the time we were writing this article, this resource had been viewed 177,987 times, however, because we learned that the same bot might continue to periodically ask this resource if the C&C server is down, we could not determine that this number represents the size of this botnet. This number is climbing by about 1,000 a day.
When digging further, we found more related resources created by the same “WHATHAPPEN” user that all seem to be similar spearhead scripts. The main difference is that they are communicating to two different C&C servers.
While inquiring on the domain name “zsw8.cc” of those C&C servers, we found that the registrant name is “xinqian Rhys”.
This registrant is associated with 235 email addresses and more than 36,000 domains. A quick search on the registrant revealed scams, gambling, and adult services have been associated with those domains since 2012. (We even found a lawsuit filed by “Sketchers” at the beginning of 2017.1)
The botnet has a multi-staged deployment process.
As mentioned before, once the spearhead Python script is executed, another base64-encoded Python script is fetched and executed from the C&C server, which is the main controller (later referred to as the “bot” or “client”) of the infected machine.
The controller script creates a persistency on the infected machine by registering as a cron job. The original spearhead bash script named “httpsd” includes a base64-encoded Python one-liner that runs every 6 hours.
Then it collects the following information on the infected device:
The collected information signals that the business model behind this botnet is crypto-currency mining.
The bot also checks whether the machine was already infected by the malware and if so, what the current “state” (purpose) of the infected bot is. The check is done by searching several predefined malware filenames in current running processes. It seems like the bot can function as a crypto-mining node (running the “httpsd” or “minerd” process), or as a scanner node (running the “webnode” or the “safenode” process).
Then, a report with the collected information is sent to the C&C which, in turn, responds with “task” details in the form of a Python dictionary.
The “task” includes:
Once the task command is executed, the bot will send an output of the command to the C&C server, including task_hash and bot identifiers.
In our research case, the bot was purposed to be a crypto-miner, while also infecting with a binary executable file named “wipefs”, which is a known variant already detected by several anti-virus manufacturers (at least since August 13, 2017).
The executable is based on the “xmrminer”, which is mining the Monero crypto-currency that nowadays has become the cyber-criminals’ currency of choice due to its high anonymity.
Exploiting Recent JBoss Deserialization (CVE-2017-12149)
As we were in the process of writing this article, we discovered that the botnet already seems to be evolving. We noticed that an additional resource named “jboss” showed up under WHATHAPPEN’s account in mid-December.
The content of “jboss” is a base64-encoded python code, corresponding to the response format the python bot receives while communicating with the C&C server.
The revealed code is a scanner functionality hunting for vulnerable JBoss servers. The bot will try to probe the target for potential exploitability to CVE-2017-12149, which was disclosed just a couple of months ago. It will send a request to the “/invoker/readonly” URL via seven different TCP ports commonly used by JBoss. If the server responds with an error (500 status code) including the “Jboss”/“jboss” string, it will report the target URL to the C&C server.
The list of the targets to scan is controlled by the C&C server, while the bot has a separate thread that polls the C&C server for new targets. The server responds with a Class C IP range to scan but could also provide a single IP address.
Monero Mining Earnings
Two pool addresses used by this botnet were paid approximately 94 and 64 Monero. The value fluctuates frequently. The value of 158 Monero at the time of this writing was about $60,000 USD. It is not known how much profit the threat actor has made overall.
More to Come
Our research is still ongoing while we hunt for more missing pieces of this puzzle, such as the “scanner node” component and additional C&C servers, if there are any. We are also waiting to see whether the current C&C server will come back to life. This technical report is part of a deeper ongoing investigation that might be related to this botnet, so stay tuned.