Pierluigi Paganini January 05, 2018

Security experts at F5 discovered a new Linux Monero crypto-miner botnet dubbed PyCryptoMiner spreading over the SSH protocol.

F5 researchers discovered a new Linux crypto-miner botnet dubbed PyCryptoMiner spreading over the SSH protocol. The Monero miner botnet is based on the Python scripting language, it leverages Pastebin as command and control server infrastructure when the original C&C isn’t available.

If all C&C servers of the botnet are not accessible, all newly infected bots are idle, polling for the botmaster’s Pastebin page.

The experts believe the botnet it under development, operators have recently added scanner functionality hunting for vulnerable JBoss servers (exploiting CVE-2017-12149).

It has been estimated that the PyCryptoMiner botnet has generated the equivalent of approximately $46,000 as of late December.

The experts believe the PyCryptoMiner botnet is more evasive due to its scripting language-based nature, it is hard to detect because it is executed by a legitimate binary.

The malware spreads by attempting to guess the SSH login credentials of target Linux systems. Once SSH credentials are guessed, the bot deploys a simple base64-encoded Python script designed to connect to the C&C server to download and execute additional Python code.

The second-stage code is the controller that registers a cron job on the infected machine to gain persistence.

The original script checks whether the machine has been already infected, it also collects information on the infected device including:

• Host/DNS name
• OS name and its architecture
• Number of CPUs
• CPU usage

The bot sends a report with the collected information to the C&C that in turn send it task details. The “task” includes:

• “cmd” — arbitrary command to be executed as a separate process
• “client_version” — if the version number received from the server is different from the current bot version, it will terminate the bot and wait for the cron to run the spearhead script again to deploy an updated version (current value is “4”)
• “task_hash” — task identifier so the C&C can synchronize botnet results, because each command has a different execution time
• “conn_cycler” — time interval to poll the C&C, which is controlled by the bot master, probably to balance the loads on its C&C infrastructure as the botnet grows (default value 15 seconds)

The PyCryptoMiner botnet uses two pool addresses that show approximately 94 and 64 Monero, with a value of around $60,000. However, it is not possible to know overall profits of the botnet.

The analysis of the Pastebin page used are alternative C&C revealed the botnet might have been active since August 2017, and that the content had been viewed 177,987 times at the time of the investigation. It is not possible to determine the overall size of the botnet because each bot could periodically visit the page when the C&C server is down.

The botmaster used the moniker “WHATHAPPEN” which is associated with more than 36,000 domains and 235 email addresses. The registrant has been involved in scams, gambling, and adult services since 2012.

Below F5’s key findings on the PyCryptoMiner botnet:

• Is based on the Python scripting language making it hard to detect
• Leverages Pastebin.com (under the username “WHATHAPPEN”) to receive new command and control server (C&C) assignments if the original server becomes unreachable
• The registrant is associated with more than 36,000 domains, some of which have been known for scams, gambling, and adult services since 2012
• Is mining Monero, a highly anonymous crypto-currency favored by cyber-criminals. As of late December 2017, this botnet has made approximately US $46,000 mining Monero
• New scanner functionality hunting for vulnerable JBoss servers was introduced mid-December exploiting CVE-2017-12149

F5 also published IoCs for the botnet.

Pierluigi Paganini

(Security Affairs – PyCryptoMiner botnet, Monero Miner)

[adrotate banner=”5″]

[adrotate banner=”13″]