The botnet is based on a crypto-miner written in the Python scripting language, a fact that serves to keep its existence on the down-low.
“Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution,” F5 researchers explained.
The miner bot, which the researchers have dubbed PyCryptoMiner, does not have hard-coded addresses of C&C servers. Instead, it gets them from Pastebin.com posts:
It can also function as a scanner node. It scans the Internet for Linux machines with open SSH ports, then tries to guess the correct SSH login credentials. If it manages to do it, it deploys a simple base64-encoded spearhead Python script that connects to the C&C server and fetches and executes additional Python code.
This script is the main controller (bot), and it:
- Creates a persistency on the infected machine by registering as a cron job
- Collects information about the infected machine (including information about the number of CPUs), and
- Checks whether the machine was already infected by the malware and, if so, what the bot does (is it a crypto-mining node or a scanner node?).
The information is sent to the C&C, and the bot receives instructions from it.
The botnet is currently dormant, as its C&C servers are offline, but it can be brought back to life as soon as the bot master updates the Pastebin posts to point to a new C&C server.
By making inquiries into the C&C servers’ domains, the researchers have discovered that the registrant (“xinqian Rhys”) is associated with 235 email addresses and more than 36,000 domains.
“A quick search on the registrant revealed scams, gambling, and adult services have been associated with those domains since 2012,” they noted.
They also found more posts on Pastebin by the same individual, and found that he or she has recently uploaded a new base64-encoded python script, which offers a scanner functionality hunting for vulnerable JBoss servers.
“The bot will try to probe the target for potential exploitability to CVE-2017-12149, which was disclosed just a couple of months ago. It will send a request to the ‘/invoker/readonly’ URL via seven different TCP ports commonly used by JBoss. If the server responds with an error (500 status code) including the ‘Jboss’/’jboss’ string, it will report the target URL to the C&C server,” the researchers found.
Obviously, vulnerable JBoss servers are the next target of the bot master.
The researchers have provided indicators of compromise that can help organizations check whether some of their machines have been roped into this botnet.