A botnet comprised of more than 15,000 servers is currently being used for mining crypto-currency, but attackers could easily take full control of the compromised machines if they choose, GuardiCore warns.
Dubbed BondNet, the botnet appears to have been active since December 2016 and is mainly focused on mining Monero, a crypto-currency highly popular among cybercriminals. The botnet’s operator is estimated to be earning around $1,000 a day, or more than $25,000 a month, the security researchers say.
To breach servers, the attackers use a variety of public exploits, after which they install a Windows Management Interface (WMI) backdoor to establish communication with the command and control (C&C) server. This also allows attackers to take full control of the servers and steal data on them, hold it for ransom, or stage further attacks.
The security firm determined that BondNet has penetrated more than 15,000 machines to date and says that around 2,000 of the compromised servers report to the C&C each day. Additionally, the botnet adds around 500 new machines to the network daily, while delisting around the same number of servers. The oldest server breached has an uptime of over 7.5 years.
The botnet operators use a mix of vulnerabilities and weak credentials to breach Windows Server machines, including known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services.
Common to all attacks is the use of Visual Basic files to download and install a remote access Trojan (RAT) and a crypto-currency miner. The compromised machines are then used to expand the botnet infrastructure, to conduct attacks, or serve up malware files such as miner executables. Other machines would host the C&C servers, the researchers say.
Although the crooks appear focused on mining Monero, miners such as ByteCoin, RieCoin or ZCash (all convertible to USD) are also dropped in some cases. Up-to-date versions of the mining programs are downloaded and installed, and scheduled task, triggered hourly, ensure that the miner process can survive reboots.
The backdoor used by the botnet is a WMI RAT downloaded from an Amazon S3 bucket (mytest01234), and is installed using a known MOF file method. Set to run every night at 11PM, the backdoor defines a new WMI provider class, which allows the attacker to execute code as a result of a WMI event and to hide the activity behind the WMI service process.
The backdoor enables the Guest account and resets its password, so that the attacker can remotely connect using Remote Desktop Protocol (RDP), Server Message Block (SMB), or Microsoft Remote Procedure Call (RPC).
Next, it collects information about the machine, including computer name, RDP port, guest username, OS version, number of active processors, uptime measured in hours, original infection vector, whether the victim is running a Chinese version of Windows, OS language, and CPU architecture (x86/x64), and sends it to the C&C encoded, over HTTP. The malware also downloads a command file and executes it (the commands are obfuscated Visual Basic code and are executed “in memory”).
On victim-turned-C&C servers, the attackers install a fork of goup, which is a small open source HTTP server written in Golang. The attackers’ webserver can track victims and encrypt files on disk using AES. The use of .asp and .zip extensions for the files served by the C&C server allows the attackers to avoid auditing and firewall alerts.
The attackers deploy new command and control instances manually by connecting over RDP to the victim machine and copying a ZIP file that contains the server, an open source service manager (nssm), and command files. The server is installed using an included batch script, is named w3wp, the same as the Microsoft IIS host process, and runs at startup. Because the attackers sometimes forget to save all.asp, some C&C servers don’t save the information the Trojans send.
The botnet’s infrastructure is built of compromised servers with various roles: C&C servers, file servers, scanning servers etc. The attackers use the TCP port scanner WinEggDrop to scan the Internet for new targets. The scanning servers also check for public, unpatched vulnerabilities in different frameworks, and store those IPs for attack servers to attempt to compromise.
Many of the victims are used as file servers to serve up mining software, and they have the same web server as the C&Cs. The WMI Trojan files, however, are hosted on an Amazon S3 bucket.
“While organizations can treat this as a minor issue of increased electric bills, with relatively simple modifications this backdoor is capable of taking complete control of thousands of victim machines, many of which contain sensitive information like mail servers. Today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network,” GuardiCore concludes.