Botnets Target Mining Devices and Shift Focus to Cryptocurrency
In December 2017, the price of Bitcoin hit a record $20,000, sparking renewed interest in cryptocurrencies, even though the price dropped significantly in the following month. Many major exchanges and trading platforms had to suspend new user registrations due to overwhelming demand, and graphics cards once again disappeared from store shelves, as mining remained a highly profitable activity.
Criminals have also taken notice of the cryptocurrency boom. In recent months, the amount of mining malware has increased significantly, and the phenomenon of “browser mining” (also known as cryptojacking) has emerged—where website visitors are forced to mine cryptocurrency without their knowledge. This week, it was revealed that operators of large botnets are now also turning their attention to cryptocurrency.
Satori
Researchers at Qihoo 360 Netlab discovered that on January 8, 2018, a new botnet appeared on the network landscape—a modification of the already well-known Satori botnet. The researchers are confident that the new malware variant, previously designed exclusively to hack IoT devices, was created by the same author, as the code is very similar.
The original Satori botnet was first detected in early December 2017. The Satori malware, which the botnet is based on, was another variation of the infamous Mirai IoT malware. At that time, Qihoo 360 Netlab analysts warned of 280,000 active bots and noted that the threat used a different tactic than Mirai. While the classic Mirai version works as a Telnet scanner using long lists of logins and passwords to brute-force various “smart” devices, Satori used two exploits instead of brute-forcing.
Now, Qihoo 360 Netlab researchers have discovered a modification called Satori.Coin.Robber, which, as the name suggests, is designed to steal cryptocurrency. If the first botnet was created by a beginner hacker or script kiddie, the author is clearly learning. The new malware version is designed not only to attack IoT devices (still using the same exploits) but also to target Ethereum mining devices.
Satori.Coin.Robber scans port 3333 looking for Claymore Miner software, then replaces the miner’s wallet address with its own. Researchers have not yet published technical details about the exploit used by the malware, fearing it could worsen the situation. It is known, however, that the attacker can interact with the device and modify data without proper authentication. Satori.Coin.Robber changes the miner’s configuration, adding a new pool (eth-us2.dwarfpool.com:8008) and a new wallet (0xB15A5332eB7cD2DD7a4Ec7f96749E769A371572d). According to pool statistics, the malware operator has already earned over 2 ETH (more than $2,000 at the current rate).
Moreover, the malware author leaves the following message in case the miner’s owner discovers the hack:
“This is the Satori developer. Don’t worry about this bot, it currently has no malicious functions, so just move along. You can contact me at [email protected].”
Necurs
The operators of Necurs, one of the world’s largest botnets with over 6 million infected hosts, have also become interested in cryptocurrency. Previously, Necurs was mainly used to send malicious spam. For example, in late November 2017, the botnet began spreading the Scarab ransomware at a rate of 12.5 million spam emails in just a few hours. The main malware distributed by Necurs, however, is the well-known banking trojan Dridex.
Now, journalists from Bleeping Computer, together with cybersecurity expert and blogger “Derek” from MyOnlineSecurity, have discovered that Necurs is being used to manipulate cryptocurrency prices.
This is not the first time the botnet’s owners have tried such tactics. Previously, Necurs operators attempted to manipulate the stock market using the classic “pump-and-dump” scheme. This illegal practice artificially inflates stock prices by misleading users, allowing the perpetrators to sell cheap shares at a higher price. In the past, scammers spread false information claiming that InCapta Inc ($INCT), a mobile app development company, would soon be acquired by DJI, a drone manufacturer, at $1.37 per share. They urged users to buy InCapta Inc shares before it was “too late,” promising big profits.
Now, the botnet operators are using the same pump-and-dump tactic, but this time to “promote” the cryptocurrency Swisscoin (SIC). This altcoin was previously labeled as a Ponzi scheme and its trading was suspended, but trading resumed on January 15, 2018, which the scammers quickly exploited.
Spam currently being sent by Necurs claims that Swisscoin’s value could increase by 50,000 percent this year, and that a $1,000 investment could turn into a million dollars.
Unfortunately, it’s difficult to determine exactly how Necurs operators’ actions are affecting Swisscoin’s price, as the entire cryptocurrency market experienced a significant downturn on January 16-17, 2018. Bitcoin’s price dropped to $9,000, and altcoin prices also fluctuated unpredictably, mostly downward.
Attacks on Web Servers
However, botnets are far from the only problem today. It has long been clear that criminals realize how profitable it can be to infect various servers with mining malware. Such infections are often not detected right away, and servers typically have much more processing power than regular user devices.
One recent example is the discovery of the RubyMiner malware, as reported by Check Point and Certego researchers. According to their findings, the malware is massively attacking vulnerable web servers in the UK, Germany, the US, Norway, and Sweden, infecting over 700 machines in the first 24 hours.
Vulnerable Windows and Linux servers are at risk, especially those with unpatched bugs in PHP, Microsoft IIS, and Ruby on Rails dating back to 2012-2013. By exploiting these vulnerabilities, criminals install the XMRig miner on servers to mine Monero cryptocurrency. According to experts, the attackers are not making much effort to hide their actions; instead, the attack is aimed at compromising as many devices as possible in the shortest time.
Since the attackers are targeting servers vulnerable to issues from five years ago, it’s likely these machines have been abandoned for some time, and there may be no one left to detect the hidden miner.