Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst.
She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.
Link: https://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html

A new botnet consisting of more than 15,000 compromised servers has been used to mine various cryptocurrencies, earning its master around $25,000 per month.

Mining cryptocurrencies can be a costly investment, as it requires an enormous amount of computing power, but cybercriminals have found an easy money-making solution.

Dubbed BondNet, the botnet was first spotted in December 2016 by GuardiCore researchers, who traced back the botnet malware developer, using online handle Bond007.01, to China.

According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies
— primarily Monero, but also ByteCoin, RieCoin, and ZCash
— but they warn that the hacker could easily take full control of compromised servers for malicious purposes, like mounting Mirai-style DDoS attacks.

BondNet’s Botnet Infrastructure

2. Some servers are used as file servers to host the mining software.

3. Other infected servers are turned into command-and-control (C&C) servers after they have been equipped with a fork of goup — a small open source HTTP server written in Golang.

“Building an attack infrastructure on top of victim machines helps conceal the attacker’s true identity and origin of the attack,” the GuardiCore researchers explained in their report published Thursday.

“It also provides high availability infrastructure, which is very helpful when relying on compromised servers, providing infinite backup options in case one of the servers fails or loses connectivity to the internet.”

Additionally, the BondNet botnet adds around 500 new machines to its network each day, and an approximately the same number of servers are delisted.

Here’s How to Detect the Threat and How to Mitigate:

Meanwhile, GuardiCore has also provided network and file indicators of compromise systems to help server administrators check whether their machines are among compromised ones.

The researchers have also released a detection & cleanup tool (registration is required to download it) to help admins find and remove BondNet bots from their servers, as well as instructions on how to clean the system manually, without using the script.