A botnet consisting of some 2,000 compromised servers has been mining cryptocurrency for its master for several months now, “earning” him around $1,000 per day.
GuardiCore researchers first spotted it in December 2016, and have been mapping it out and following its evolution since then. The’ve dubbed it Bondnet, after the handle its herder uses online (“Bond007.01”).
Compromised Windows servers serve different functions
Bondnet’s main reason of being is the mining of cryptocurrencies: primarily Monero, but also ByteCoin, RieCoin or ZCash. For that reason, the botnet master goes after servers and not consumer IoT devices: the task requires large amounts of CPU/GPU power.
His main targets are Windows Server machines, and he compromises them either by exploiting old vulnerabilities, configurations bugs, or weak user/password combinations.
Once he gains access, he deploys Visual Basic files gather information about the system and download and install a remote access trojan (RAT) and a cryptocurrency miner (if the machine is located outside of China) or a browser ad hijacker (if it’s inside China).
Not all machines in the botnet mine cryptocurrencies. Some serve as scanners, and search for vulnerable machines on the Internet, by going through a list of IPs with open ports that has been compiled with the WinEggDrop TCP port scanner.
Some of the machines serve as file servers, hosting the mining software. Others still are turned in C&C servers, after they’ve been equipped with a fork of goup, an open source HTTP server written in Golang.
Until now, none of the malicious payloads were detected by security solutions deployed on target machines, and you couldn’t find them in known malware repositories.
The botherder avoided them being detected through a combination of code obfuscation, the use of Visual Basic code (which is hard to log), execution of the code after gaining high privileges, or “in memory”, using specific file extensions for files served by the C&C server (in order to auditing and firewall alerts), and so on.
The researchers believe that this person is also the author of the miner software.”The attacker’s habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone,” they noted.
They also believe he’s based in China, because the attacker’s code handles Chinese victims differently, because the Bondnet C&C server is compiled on a Chinese computer, and because he copies and pastes code into his tools from Chinese websites.
Detecting the compromise and cleaning up the machines
Although the botnet consists of some 2,000 active bots, each day around 500 new machines are added to it and an approximately equal number is delisted.
“We see server administrators noticing this botnet and attempting to remove it. They either noticed the botnet’s activity from monitoring tools, or more likely, reduced performance due to the mining activity caught their attention. In many cases, we see the victims disappear for a day or two and return to action, leading us to conclude that the removal actions taken by administrators were simply not enough,” Ofri Ziv, VP Research at GuardiCore, told Help Net Security.
According to the company’s statistics, so far 15,000 machines around the world – in high profile global companies, universities, city councils and other public institutions – have been compromised. The majority of them runs Windows Server 2008 R2.
The researchers have provided network and file indicators of compromise to help sysadmins check whether their machines are among these. They’ve also offered a detection and cleanup script (registration is required to download it) and instructions on how to clean the system manually, without the script.
“While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions,” they warned.
“Today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network.”